Bug 2338289 (CVE-2024-52005) - CVE-2024-52005 git: The sideband payload is passed unfiltered to the terminal in git
Summary: CVE-2024-52005 git: The sideband payload is passed unfiltered to the terminal...
Keywords:
Status: NEW
Alias: CVE-2024-52005
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2338315 2338314
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-15 18:01 UTC by OSIDB Bzimport
Modified: 2025-06-12 09:39 UTC (History)
17 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:9010 0 None None None 2025-06-12 09:39:08 UTC
Red Hat Product Errata RHSA-2025:7409 0 None None None 2025-05-13 11:53:51 UTC
Red Hat Product Errata RHSA-2025:7482 0 None None None 2025-05-13 15:58:11 UTC
Red Hat Product Errata RHSA-2025:7640 0 None None None 2025-05-15 00:30:46 UTC
Red Hat Product Errata RHSA-2025:7641 0 None None None 2025-05-15 00:31:00 UTC
Red Hat Product Errata RHSA-2025:8414 0 None None None 2025-06-03 01:15:30 UTC

Description OSIDB Bzimport 2025-01-15 18:01:31 UTC 
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Comment 2 errata-xmlrpc 2025-05-13 11:53:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7409 https://access.redhat.com/errata/RHSA-2025:7409
Comment 3 errata-xmlrpc 2025-05-13 15:58:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7482 https://access.redhat.com/errata/RHSA-2025:7482
Comment 4 errata-xmlrpc 2025-05-15 00:30:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:7640 https://access.redhat.com/errata/RHSA-2025:7640
Comment 5 errata-xmlrpc 2025-05-15 00:30:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:7641 https://access.redhat.com/errata/RHSA-2025:7641
Comment 6 errata-xmlrpc 2025-06-03 01:15:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8414 https://access.redhat.com/errata/RHSA-2025:8414
Note You need to log in before you can comment on or make changes to this bug.