Bug 1198234 - (CVE-2022-24765) VUL-0: CVE-2022-24765: git,libgit2: potential command injection via git worktree
(CVE-2022-24765)
VUL-0: CVE-2022-24765: git,libgit2: potential command injection via git worktree
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Antonio Larrosa
Security Team bot
https://smash.suse.de/issue/328402/
CVSSv3.1:SUSE:CVE-2022-24765:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-08 07:02 UTC by Robert Frohl
Modified: 2022-10-04 13:37 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 9 OBSbugzilla Bot 2022-04-12 20:50:04 UTC
This is an autogenerated message for OBS integration:
This bug (1198234) was mentioned in
https://build.opensuse.org/request/show/969560 Factory / git
Comment 11 Robert Frohl 2022-04-13 06:45:08 UTC
oss-security:

The Git project released versions v2.30.3, v2.31.2, v2.32.1,
v2.33.2, v2.34.2, and v2.35.2 today.  They are to address
CVE-2022-24765.  All supported platforms with multiple users are
affected in one way or another.

    https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

We highly recommend to upgrade.

The addressed issue is:

* CVE-2022-24765:
  On multi-user machines, Git users might find themselves unexpectedly in
  a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended
  for all users and another user created a repository in `/scratch/.git`.
  Merely having a Git-aware prompt that runs `git status` (or `git diff`)
  and navigating to a directory which is supposedly not a Git worktree, or
  opening such a directory in an editor or IDE such as VS Code or Atom, will
  potentially run commands defined by that other user via
  `/scratch/.git/config`.

Credit for finding the vulnerability goes to 俞晨东; credit for fixing
it goes to Johannes Schindelin.
Comment 12 Andreas Stieger 2022-04-13 17:58:34 UTC
libgit2 1.4.3, 1.3.1 have compatibility fixes:
https://github.com/libgit2/libgit2/releases/tag/v1.4.3
https://github.com/libgit2/libgit2/releases/tag/v1.3.1
Comment 15 OBSbugzilla Bot 2022-04-15 14:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1198234) was mentioned in
https://build.opensuse.org/request/show/970347 Factory / git
Comment 16 Swamp Workflow Management 2022-04-19 13:31:56 UTC
SUSE-SU-2022:1260-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198234
CVE References: CVE-2022-24765
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.26.2-150000.36.1
openSUSE Leap 15.3 (src):    git-2.26.2-150000.36.1
SUSE Manager Server 4.1 (src):    git-2.26.2-150000.36.1
SUSE Manager Retail Branch Server 4.1 (src):    git-2.26.2-150000.36.1
SUSE Manager Proxy 4.1 (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server for SAP 15 (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Server 15-LTSS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    git-2.26.2-150000.36.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    git-2.26.2-150000.36.1
SUSE Enterprise Storage 7 (src):    git-2.26.2-150000.36.1
SUSE Enterprise Storage 6 (src):    git-2.26.2-150000.36.1
SUSE CaaS Platform 4.0 (src):    git-2.26.2-150000.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-04-22 19:23:58 UTC
SUSE-SU-2022:1306-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198234
CVE References: CVE-2022-24765
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    git-2.26.2-27.52.1
SUSE OpenStack Cloud Crowbar 8 (src):    git-2.26.2-27.52.1
SUSE OpenStack Cloud 9 (src):    git-2.26.2-27.52.1
SUSE OpenStack Cloud 8 (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server 12-SP5 (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    git-2.26.2-27.52.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    git-2.26.2-27.52.1
HPE Helion Openstack 8 (src):    git-2.26.2-27.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-05-02 19:16:18 UTC
SUSE-SU-2022:1484-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1181400,1198234
CVE References: CVE-2022-24765
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.35.3-150300.10.12.1
openSUSE Leap 15.3 (src):    git-2.35.3-150300.10.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    git-2.35.3-150300.10.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    git-2.35.3-150300.10.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    git-2.35.3-150300.10.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    git-2.35.3-150300.10.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Hu 2022-07-13 11:10:27 UTC
2 things:

1. This upstream fix is incomplete, we are tracking the rest of the fix here: bnc#1201431

2. This is not fixed in libgit2 yet:
I think this is the fix for this CVE for libgit2, but also incomplete (see bnc#1201431):
https://github.com/libgit2/libgit2/pull/266/files

This is missing in:
- SUSE:SLE-15-SP2:Update/libgit2  0.28.4
- SUSE:SLE-15:Update/libgit2      0.26.8
- SUSE:SLE-15-SP4:Update/libgit2  1.3.0

Not sure how easy it is for the older versions to add this.

Not Affected:
- openSUSE:Factory/libgit2        1.4.3
Comment 22 Antonio Larrosa 2022-09-13 10:24:27 UTC
I just submitted the following SRs to fix this:

https://build.suse.de/request/show/279522 for SLE-15:Update
https://build.suse.de/request/show/279523 for SLE-15-SP2:Update
https://build.suse.de/request/show/279524 for SLE-15-SP4:Update

Btw, the PR at https://github.com/libgit2/libgit2/pull/266/files mentioned in #c19 was merged long ago and it was already included in SLE-15:GA
Comment 23 Swamp Workflow Management 2022-09-15 19:25:37 UTC
SUSE-SU-2022:3283-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1198234,1201431
CVE References: CVE-2022-24765,CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libgit2-1.3.0-150400.3.3.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    libgit2-1.3.0-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-10-04 13:28:49 UTC
SUSE-SU-2022:3494-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1198234,1201431
CVE References: CVE-2022-24765,CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libgit2-0.28.4-150200.3.3.1
openSUSE Leap 15.3 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Manager Server 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Manager Retail Branch Server 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Manager Proxy 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libgit2-0.28.4-150200.3.3.1
SUSE Enterprise Storage 7 (src):    libgit2-0.28.4-150200.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-10-04 13:37:39 UTC
SUSE-SU-2022:3495-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1158790,1158981,1198234,1201431
CVE References: CVE-2019-1352,CVE-2022-24765,CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libgit2-0.26.8-150000.3.15.1
openSUSE Leap 15.3 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Manager Server 4.1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Manager Retail Branch Server 4.1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Manager Proxy 4.1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server for SAP 15 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Enterprise Storage 7 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Enterprise Storage 6 (src):    libgit2-0.26.8-150000.3.15.1
SUSE CaaS Platform 4.0 (src):    libgit2-0.26.8-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.