Bugzilla – Bug 1110949
VUL-0: CVE-2018-17456: git,libgit2: arbitrary code execution via .gitmodules
Last modified: 2020-05-01 22:27:11 UTC
Git 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 These releases fix a security flaw (CVE-2018-17456), which allowed an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a "git clone" subprocess. If the URL field is set to a string that begins with a dash, this "git clone" subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran "git clone". In addition to fixing the security issue for the user running "clone", the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can be used to detect such malicious repository content when fetching or accepting a push. See "transfer.fsckObjects" in git-config(1). Credit for finding and fixing this vulnerability goes to joernchen and Jeff King, respectively. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17456 https://lists.q42.co.uk/pipermail/git-announce/2018-October/000996.html
This is an autogenerated message for OBS integration: This bug (1110949) was mentioned in https://build.opensuse.org/request/show/640121 Factory / git
Also affects libgit2: https://github.com/libgit2/libgit2/releases/tag/v0.27.5 https://github.com/libgit2/libgit2/releases/tag/v0.26.7 > This is a security release fixing the following list of issues: > > Submodule URLs and paths with a leading "-" are now ignored. > This is due to the recently discovered CVE-2018-17456, which > can lead to arbitrary code execution in upstream git. While > libgit2 itself is not vulnerable, it can be used to inject > options in an implementation which performs a recursive clone > by executing an external command.
https://github.com/libgit2/libgit2/pull/4837 https://github.com/libgit2/libgit2/pull/4837/commits/4e0bdaa877336efc9d42fe7c2a57d4cfe60e66a2 https://github.com/libgit2/libgit2/pull/4837/commits/c8ca3caef68f31d553c131b471223ff934bb3cff > submodule: ignore path and url attributes if they look like options > > These can be used to inject options in an implementation which performs a > recursive clone by executing an external command via crafted url and path > attributes such that it triggers a local executable to be run. > > The library is not vulnerable as we do not rely on external executables but a > user of the library might be relying on that so we add this protection. > > This matches this aspect of git's fix for CVE-2018-17456.
SUSE:SLE-12:Update/git and SUSE:SLE-15:Update/git are affected. The relevant code in SUSE:SLE-11-SP1:Update/git has changed quite a bit. This functionality has been rewritten in C (was shell script previously), starting with commit ee8838d157. The functionality was already available back then, but I'm not sure whether it was vulnerable to this sort of attack. Needs further analysis.
Also Leap 42.3 has its own version (2.13.7-based).
This is an autogenerated message for OBS integration: This bug (1110949) was mentioned in https://build.opensuse.org/request/show/640652 42.3 / git
Now backported to SLE15 and Leap42.3. SLE12 required yet another fix for a segfault. I leave the older distro as is, judging from comment 4. Let me know if the fix is really needed for such old ones. Reassigned back to security team.
Assigning to SLE bugowner for libgit2
openSUSE-SU-2018:3109-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1110949 CVE References: CVE-2018-17456 Sources used: openSUSE Leap 42.3 (src): git-2.13.7-16.1
SUSE-SU-2018:3150-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1110949 CVE References: CVE-2018-17456 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): git-2.16.4-3.6.1 SUSE Linux Enterprise Module for Basesystem 15 (src): git-2.16.4-3.6.1
openSUSE-SU-2018:3178-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1110949 CVE References: CVE-2018-17456 Sources used: openSUSE Leap 15.0 (src): git-2.16.4-lp150.2.6.1
SUSE-SU-2018:4009-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1110949,1114729 CVE References: CVE-2018-17456 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): libgit2-0.26.8-3.8.1
openSUSE-SU-2018:4051-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1110949,1114729 CVE References: CVE-2018-17456 Sources used: openSUSE Leap 15.0 (src): libgit2-0.26.8-lp150.2.6.1
Bug is being worked on.
SUSE-SU-2018:4088-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1110949 CVE References: CVE-2018-17456 Sources used: SUSE OpenStack Cloud 8 (src): git-2.12.3-27.17.2 SUSE OpenStack Cloud 7 (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server for SAP 12-SP2 (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server 12-SP3 (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server 12-SP2-LTSS (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server 12-SP2-BCL (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server 12-SP1-LTSS (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server 12-LTSS (src): git-2.12.3-27.17.2 SUSE Enterprise Storage 4 (src): git-2.12.3-27.17.2 SUSE CaaS Platform ALL (src): git-2.12.3-27.17.2 SUSE CaaS Platform 3.0 (src): git-2.12.3-27.17.2 OpenStack Cloud Magnum Orchestration 7 (src): git-2.12.3-27.17.2 HPE Helion Openstack 8 (src): git-2.12.3-27.17.2
SUSE-SU-2019:0024-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1110949,1114729 CVE References: CVE-2018-19456 Sources used: SUSE Manager Server 3.2 (src): libgit2-0.24.1-7.9.1 SUSE Manager Server 3.1 (src): libgit2-0.24.1-7.9.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libgit2-0.24.1-7.9.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libgit2-0.24.1-7.9.1
openSUSE-SU-2019:0021-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1110949,1114729 CVE References: CVE-2018-19456 Sources used: openSUSE Leap 42.3 (src): libgit2-0.24.1-10.6.1
Created attachment 795003 [details] git-submodules-test.sh QA REPRODUCER: bash git-submodules-test.sh should in the end warn about: warning: ignoring 'submodule.sub.url' which may be interpreted as a command-line option: -upstream
I think we could at least partially fix SLE11 git by adding a -- to protect from interpretation as cmdline argument. git-clone -n "$url" "$path" || git-clone -n -- "$url" "$path" ||
I did not test it, but I think I have fixed it. Reassigning back to security team.
SUSE-SU-2018:4088-2: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1110949 CVE References: CVE-2018-17456 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): git-2.12.3-27.17.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2018:4088-3: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1110949 CVE References: CVE-2018-17456 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): git-2.12.3-27.17.2 SUSE Linux Enterprise Server 12-SP4 (src): git-2.12.3-27.17.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936 CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): git-2.26.1-3.25.2 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): git-2.26.1-3.25.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): git-2.26.1-3.25.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936 CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 Sources used: openSUSE Leap 15.1 (src): git-2.26.1-lp151.4.9.1