As per upstream advisory: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns.
Acknowledgments: Name: the Git project Upstream: Carlo Arenas
Created attachment 1680338 [details] Upstream patch
Statement: Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never made available for this product.
Mitigation: The most complete workaround is to disable credential helpers altogether: ~~~ git config --unset credential.helper git config --global --unset credential.helper git config --system --unset credential.helper ~~~ An alternative is to avoid malicious URLs: 1. Examine the hostname and username portion of URLs fed to git clone or git fetch for the presence of encoded newlines (%0A) or syntactic oddities (e.g., http:///host with three slashes). 2. Avoid using submodules with untrusted repositories (don't use git clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules). 3. Avoid tools which may run git clone on untrusted URLs under the hood. 4. Avoid using the credential helper by only cloning publicly available repositories.
Created git tracking bugs for this issue: Affects: fedora-all [bug 1826130]
Upstream commit: https://github.com/git/git/compare/v2.17.4...v2.17.5
External References: https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 https://lore.kernel.org/git/xmqq4kterq5s.fsf@gitster.c.googlers.com/
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:1975 https://access.redhat.com/errata/RHSA-2020:1975
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11008
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:1979 https://access.redhat.com/errata/RHSA-2020:1979
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1978 https://access.redhat.com/errata/RHSA-2020:1978
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1980 https://access.redhat.com/errata/RHSA-2020:1980
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2337 https://access.redhat.com/errata/RHSA-2020:2337
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:3581 https://access.redhat.com/errata/RHSA-2020:3581