As per upstream security advisory: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.
Acknowledgments: Name: the Git project Upstream: Felix Wilhelm (Google project zero)
Created attachment 1677136 [details] Upstream patch-set
Statement: Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never packaged for this instance of RHEL.
Upstream patch: https://github.com/git/git/compare/v2.17.3...v2.17.4
External References: https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/ https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
Created git tracking bugs for this issue: Affects: fedora-all [bug 1824020]
Mitigation: The most complete workaround is to disable credential helpers altogether: ~~~ git config --unset credential.helper git config --global --unset credential.helper git config --system --unset credential.helper ~~~ An alternative is to avoid malicious URLs: 1. Examine the hostname and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (e.g., host=github.com) 2. Avoid using submodules with untrusted repositories (don't use clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules) 3. Avoid tools which may run git clone on untrusted URLs under the hood
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:1503 https://access.redhat.com/errata/RHSA-2020:1503
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5260
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1511 https://access.redhat.com/errata/RHSA-2020:1511
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1518 https://access.redhat.com/errata/RHSA-2020:1518
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1513 https://access.redhat.com/errata/RHSA-2020:1513
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:3581 https://access.redhat.com/errata/RHSA-2020:3581