Bug 2073414 (CVE-2022-24765) - CVE-2022-24765 git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree
Summary: CVE-2022-24765 git: On multi-user machines Git users might find themselves un...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24765
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2078716 2078718 2078719 2078720
Blocks: 2073442
TreeView+ depends on / blocked
 
Reported: 2022-04-08 12:41 UTC by Pedro Sampaio
Modified: 2024-03-18 13:01 UTC (History)
26 users (show)

Fixed In Version: git-2.30.3, git-2.31.2, git-2.32.1, git-2.33.2, git-2.34.2, git-2.35.2, and git-2.36.0-rc2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
Clone Of:
Environment:
Last Closed: 2023-05-16 14:31:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2319 0 None None None 2023-05-09 07:28:36 UTC
Red Hat Product Errata RHSA-2023:2859 0 None None None 2023-05-16 08:20:41 UTC
Red Hat Product Errata RHSA-2024:0407 0 None None None 2024-01-24 16:41:21 UTC

Description Pedro Sampaio 2022-04-08 12:41:46 UTC
On multi-user machines, Git users might find themselves unexpectedly in
a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended
for all users and another user created a repository in `/scratch/.git`.
Merely having a Git-aware prompt that runs `git status` (or `git diff`)
and navigating to a directory which is supposedly not a Git worktree, or
opening such a directory in an editor or IDE such as VS Code or Atom, will
potentially run commands defined by that other user via `/scratch/.git/config`.

Comment 2 Todd Zullinger 2022-04-13 17:30:26 UTC
Per https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ the issue has been fixed in git-2.30.3, git-2.31.2, git-2.32.1, git-2.33.2, git-2.34.2, git-2.35.2, and git-2.36.0-rc2.

I pushed 2.36.0.rc2 to rawhide late last night.  I'm going to wait just a bit before pushing any fixes to the stable releases.  I'd like to be more confident the changes don't cause major problems.  It could cause issue for CI workflows, for example.

Comment 3 Todd Zullinger 2022-04-14 02:19:54 UTC
New releases for each of the maintenance tracks have been made which add the ability to specify 'safe.directory=*' as a broad "escape hatch" from the changes.

https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/ is the release announcement.

The relevant commits:

https://github.com/git/git/commit/e47363e5a8 (t0033: add tests for safe.directory, 2022-04-13)
https://github.com/git/git/commit/bb50ec3cc3 (setup: fix safe.directory key not being checked, 2022-04-13)
https://github.com/git/git/commit/0f85c4a30b (setup: opt-out of check with safe.directory=*, 2022-04-13)

Comment 4 Sandipan Roy 2022-04-26 05:54:56 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2078716]

Comment 6 Todd Zullinger 2022-04-26 15:04:57 UTC
The doc text seems slightly inaccurate.  There was no `safe.directory` option to check prior to this release.  It also doesn't allow access to the repository by any user.  The issue is that the owner of the repository can cause commands to be run for any other user who already has access to the repository (which can occur by just changing into the repository if the user has configured git to show repo info in their shell prompt).  Perhaps it could say something like this:

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration.  This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.

Comment 7 juneau 2022-05-02 18:40:45 UTC
marking Services affected/delegated for presence of affected code, however the incidence of this issue actually occurring would appear highly unlikely at best

Comment 11 errata-xmlrpc 2023-05-09 07:28:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2319 https://access.redhat.com/errata/RHSA-2023:2319

Comment 12 errata-xmlrpc 2023-05-16 08:20:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2859 https://access.redhat.com/errata/RHSA-2023:2859

Comment 13 Product Security DevOps Team 2023-05-16 14:31:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24765

Comment 15 errata-xmlrpc 2024-01-24 16:41:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0407 https://access.redhat.com/errata/RHSA-2024:0407


Note You need to log in before you can comment on or make changes to this bug.