Bug 1169936 (CVE-2020-11008)

Summary: VUL-0: CVE-2020-11008: git: improper URL validation might lead to credential information
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/257997/
Whiteboard: CVSSv2:NVD:CVE-2020-11008:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3.1:NVD:CVE-2020-11008:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3.1:RedHat:CVE-2020-11008:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3.1:SUSE:CVE-2020-11008:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: git-2020-11008.bundle.xz

Comment 2 Alexandros Toptsoglou 2020-04-20 15:42:31 UTC 
Created attachment 836155 [details]
git-2020-11008.bundle.xz
Comment 4 Marcus Meissner 2020-04-20 18:55:29 UTC 
was made public

https://lkml.org/lkml/2020/4/20/1252

From	Junio C Hamano <>
Subject	[Announce] Git v2.26.2 and others
Date	Mon, 20 Apr 2020 11:02:55 -0700
	

    share

Today, the Git project is releasing the following Git versions:

    v2.26.2, v2.25.4, v2.24.3, v2.23.3, v2.22.4, v2.21.3, v2.20.4,
    v2.19.5, v2.18.4, and v2.17.5.

These releases address the security issue CVE-2020-11008, which is
similar to the recently addressed CVE-2020-5260.

Users of the affected maintenance tracks are urged to upgrade.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.26.2'
and other tags:

  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://github.com/gitster/git

Attached below is the release notes for 2.17.5; all the newer
maintenance tracks listed at the beginning of this message are
updated with the same fix, so I won't repeat them here.

Thanks.

--------------------------------------------------
Git v2.17.5 Release Notes
=========================

This release is to address a security issue: CVE-2020-11008

Fixes since v2.17.4
-------------------

 * With a crafted URL that contains a newline or empty host, or lacks
   a scheme, the credential helper machinery can be fooled into
   providing credential information that is not appropriate for the
   protocol in use and host being contacted.

   Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
   credentials are not for a host of the attacker's choosing; instead,
   they are for some unspecified host (based on how the configured
   credential helper handles an absent "host" parameter).

   The attack has been made impossible by refusing to work with
   under-specified credential patterns.

Credit for finding the vulnerability goes to Carlo Arenas.
Comment 5 Markéta Machová 2020-04-21 13:44:48 UTC 
Oops, this has caught me unprepared...

I have backported the fix to SUSE_SLE-15_Update and SUSE_SLE-12_Update so far (I am currently waiting for the build). Should I fix it also on SUSE_SLE-11-SP1_Update?
Comment 6 Marcus Meissner 2020-04-22 11:55:24 UTC 
If possible please also backport for SLE11 SP1
Comment 8 Marcus Meissner 2020-04-22 15:03:05 UTC 
sorry, I have to retract ... on SLE11 we no longer have any active product using "git" anymore. 

SO SLE11 git submissions are no longer needed.
Comment 10 Markéta Machová 2020-04-23 07:11:46 UTC 
(In reply to Marcus Meissner from comment #8)
> sorry, I have to retract ... on SLE11 we no longer have any active product
> using "git" anymore. 
> 
> SO SLE11 git submissions are no longer needed.

next time I will know, thanks :)
Comment 12 Swamp Workflow Management 2020-04-24 13:50:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1169936) was mentioned in
https://build.opensuse.org/request/show/797168 Factory / git
Comment 14 Swamp Workflow Management 2020-04-28 10:38:23 UTC 
SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.26.1-3.25.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-05-01 22:29:15 UTC 
openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
openSUSE Leap 15.1 (src):    git-2.26.1-lp151.4.9.1
Comment 19 Markéta Machová 2020-05-18 09:18:39 UTC 
"Spring bug cleanup": I think this is fixed.
Comment 21 Markéta Machová 2020-05-18 09:29:51 UTC 
OK
Comment 22 Swamp Workflow Management 2020-05-19 16:18:10 UTC 
SUSE-RU-2020:1340-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1149792,1169786,1169936,1170302,1170741,1170939
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.26.2-3.28.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.26.2-3.28.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.26.2-3.28.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-05-24 13:13:28 UTC 
openSUSE-RU-2020:0708-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1149792,1169786,1169936,1170302,1170741,1170939
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    git-2.26.2-lp151.4.12.1
Comment 24 OBSbugzilla Bot 2020-06-24 17:20:27 UTC 
This is an autogenerated message for OBS integration:
This bug (1169936) was mentioned in
https://build.opensuse.org/request/show/816877 15.2 / git
Comment 25 Swamp Workflow Management 2020-06-24 22:13:45 UTC 
openSUSE-RU-2020:0863-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1149792,1169786,1169936,1170302,1170741,1170939
CVE References: 
Sources used:
openSUSE Leap 15.2 (src):    git-2.26.2-lp152.2.3.1
Comment 26 Alexandros Toptsoglou 2020-07-14 15:25:09 UTC 
Done