Bug 1110949 (CVE-2018-17456) - VUL-0: CVE-2018-17456: git,libgit2: arbitrary code execution via .gitmodules
Summary: VUL-0: CVE-2018-17456: git,libgit2: arbitrary code execution via .gitmodules
Status: RESOLVED FIXED
Alias: CVE-2018-17456
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/216232/
Whiteboard: CVSSv3:RedHat:CVE-2018-17456:8.8:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-05 17:28 UTC by Andreas Stieger
Modified: 2020-05-01 22:27 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
git-submodules-test.sh (359 bytes, application/x-shellscript)
2019-01-21 11:36 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2018-10-05 17:28:59 UTC
Git 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1

These releases fix a security flaw (CVE-2018-17456), which allowed an
attacker to execute arbitrary code by crafting a malicious .gitmodules
file in a project cloned with --recurse-submodules.

When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess.  If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option.  This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".

In addition to fixing the security issue for the user running "clone",
the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
be used to detect such malicious repository content when fetching or
accepting a push. See "transfer.fsckObjects" in git-config(1).

Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17456
https://lists.q42.co.uk/pipermail/git-announce/2018-October/000996.html
Comment 1 Swamp Workflow Management 2018-10-05 18:20:05 UTC
This is an autogenerated message for OBS integration:
This bug (1110949) was mentioned in
https://build.opensuse.org/request/show/640121 Factory / git
Comment 2 Andreas Stieger 2018-10-07 12:13:01 UTC
Also affects libgit2:

https://github.com/libgit2/libgit2/releases/tag/v0.27.5
https://github.com/libgit2/libgit2/releases/tag/v0.26.7

> This is a security release fixing the following list of issues:
> 
>     Submodule URLs and paths with a leading "-" are now ignored.
>     This is due to the recently discovered CVE-2018-17456, which
>     can lead to arbitrary code execution in upstream git. While
>     libgit2 itself is not vulnerable, it can be used to inject
>     options in an implementation which performs a recursive clone
>     by executing an external command.
Comment 3 Andreas Stieger 2018-10-07 12:17:13 UTC
https://github.com/libgit2/libgit2/pull/4837
https://github.com/libgit2/libgit2/pull/4837/commits/4e0bdaa877336efc9d42fe7c2a57d4cfe60e66a2
https://github.com/libgit2/libgit2/pull/4837/commits/c8ca3caef68f31d553c131b471223ff934bb3cff

> submodule: ignore path and url attributes if they look like options
> 
> These can be used to inject options in an implementation which performs a
> recursive clone by executing an external command via crafted url and path
> attributes such that it triggers a local executable to be run.
> 
> The library is not vulnerable as we do not rely on external executables but a
> user of the library might be relying on that so we add this protection.
> 
> This matches this aspect of git's fix for CVE-2018-17456.
Comment 4 Karol Babioch 2018-10-08 12:44:08 UTC
SUSE:SLE-12:Update/git and SUSE:SLE-15:Update/git are affected.

The relevant code in SUSE:SLE-11-SP1:Update/git has changed quite a bit. This functionality has been rewritten in C (was shell script previously), starting with commit ee8838d157. The functionality was already available back then, but I'm not sure whether it was vulnerable to this sort of attack. Needs further analysis.
Comment 5 Takashi Iwai 2018-10-08 14:44:53 UTC
Also Leap 42.3 has its own version (2.13.7-based).
Comment 6 Swamp Workflow Management 2018-10-08 15:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1110949) was mentioned in
https://build.opensuse.org/request/show/640652 42.3 / git
Comment 8 Takashi Iwai 2018-10-09 12:30:06 UTC
Now backported to SLE15 and Leap42.3.  SLE12 required yet another fix for a segfault.

I leave the older distro as is, judging from comment 4.  Let me know if the fix is really needed for such old ones.

Reassigned back to security team.
Comment 10 Andreas Stieger 2018-10-09 13:21:54 UTC
Assigning to SLE bugowner for libgit2
Comment 11 Swamp Workflow Management 2018-10-12 10:12:11 UTC
openSUSE-SU-2018:3109-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1110949
CVE References: CVE-2018-17456
Sources used:
openSUSE Leap 42.3 (src):    git-2.13.7-16.1
Comment 12 Swamp Workflow Management 2018-10-15 16:10:47 UTC
SUSE-SU-2018:3150-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1110949
CVE References: CVE-2018-17456
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    git-2.16.4-3.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    git-2.16.4-3.6.1
Comment 14 Swamp Workflow Management 2018-10-17 04:10:16 UTC
openSUSE-SU-2018:3178-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1110949
CVE References: CVE-2018-17456
Sources used:
openSUSE Leap 15.0 (src):    git-2.16.4-lp150.2.6.1
Comment 18 Swamp Workflow Management 2018-12-07 14:10:44 UTC
SUSE-SU-2018:4009-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1110949,1114729
CVE References: CVE-2018-17456
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    libgit2-0.26.8-3.8.1
Comment 19 Swamp Workflow Management 2018-12-08 14:10:11 UTC
openSUSE-SU-2018:4051-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1110949,1114729
CVE References: CVE-2018-17456
Sources used:
openSUSE Leap 15.0 (src):    libgit2-0.26.8-lp150.2.6.1
Comment 20 Karol Babioch 2018-12-12 16:42:27 UTC
Bug is being worked on.
Comment 21 Swamp Workflow Management 2018-12-12 20:09:40 UTC
SUSE-SU-2018:4088-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1110949
CVE References: CVE-2018-17456
Sources used:
SUSE OpenStack Cloud 8 (src):    git-2.12.3-27.17.2
SUSE OpenStack Cloud 7 (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server 12-SP3 (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server 12-LTSS (src):    git-2.12.3-27.17.2
SUSE Enterprise Storage 4 (src):    git-2.12.3-27.17.2
SUSE CaaS Platform ALL (src):    git-2.12.3-27.17.2
SUSE CaaS Platform 3.0 (src):    git-2.12.3-27.17.2
OpenStack Cloud Magnum Orchestration 7 (src):    git-2.12.3-27.17.2
HPE Helion Openstack 8 (src):    git-2.12.3-27.17.2
Comment 23 Swamp Workflow Management 2019-01-07 23:09:13 UTC
SUSE-SU-2019:0024-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1110949,1114729
CVE References: CVE-2018-19456
Sources used:
SUSE Manager Server 3.2 (src):    libgit2-0.24.1-7.9.1
SUSE Manager Server 3.1 (src):    libgit2-0.24.1-7.9.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libgit2-0.24.1-7.9.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libgit2-0.24.1-7.9.1
Comment 24 Swamp Workflow Management 2019-01-12 02:08:59 UTC
openSUSE-SU-2019:0021-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1110949,1114729
CVE References: CVE-2018-19456
Sources used:
openSUSE Leap 42.3 (src):    libgit2-0.24.1-10.6.1
Comment 25 Marcus Meissner 2019-01-21 11:36:18 UTC
Created attachment 795003 [details]
git-submodules-test.sh

QA REPRODUCER:

bash git-submodules-test.sh


should in the end warn about:
warning: ignoring 'submodule.sub.url' which may be interpreted as a command-line option: -upstream
Comment 26 Marcus Meissner 2019-01-21 11:41:17 UTC
I think we could at least partially fix SLE11 git by adding a -- to protect
from interpretation as cmdline argument.

        git-clone -n "$url" "$path" ||
        git-clone -n -- "$url" "$path" ||
Comment 27 Markéta Machová 2019-01-22 12:00:32 UTC
I did not test it, but I think I have fixed it. Reassigning back to security team.
Comment 30 Swamp Workflow Management 2019-04-27 22:16:49 UTC
SUSE-SU-2018:4088-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1110949
CVE References: CVE-2018-17456
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    git-2.12.3-27.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2019-10-03 13:12:15 UTC
SUSE-SU-2018:4088-3: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1110949
CVE References: CVE-2018-17456
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    git-2.12.3-27.17.2
SUSE Linux Enterprise Server 12-SP4 (src):    git-2.12.3-27.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Alexandros Toptsoglou 2020-04-24 15:07:10 UTC
Done
Comment 38 Swamp Workflow Management 2020-04-28 10:36:14 UTC
SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.26.1-3.25.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Swamp Workflow Management 2020-05-01 22:27:11 UTC
openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
openSUSE Leap 15.1 (src):    git-2.26.1-lp151.4.9.1