Bug 1079389 - (CVE-2018-1000021) VUL-0: CVE-2018-1000021: git: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands
(CVE-2018-1000021)
VUL-0: CVE-2018-1000021: git: client prints server sent ANSI escape codes to ...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/199430/
CVSSv3:RedHat:CVE-2018-1000021:5.0:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-05 15:34 UTC by Karol Babioch
Modified: 2020-04-01 16:49 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-02-05 15:34:40 UTC
CVE-2018-1000021

The Git client does not validate messages received from a Git server, and will print anything received, including ANSI escape codes, to the terminal. Under certain client environments, a malicious Git server or man-in-the-middle (MITM) could send malicious data, potentially resulting in command execution on the client machine. 

External References:

http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1541854
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000021
http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html
Comment 1 Andreas Stieger 2018-02-05 17:06:34 UTC
The issue was not discussed upstream, apparently.

It was assigned via DVF: https://iwantacve.org/
https://docs.google.com/spreadsheets/d/1PlDOsZ4Q36JU4Dz9zyBB2F3814dScppCRCe1muCT7JI/edit#gid=100588343

with the following data:

1/6/2018 4:59:26	riley@mailo.com	Yes	Yes	GIT	GIT	https://git-scm.com/	2.15.1 and earlier		Input Validation Error		Client	Varies depending on client used. Can range from messing up terminal configuration to RCE	The user must interact with a malicious git server, (or have their traffic modified in a MITM attack)	http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html

Notes: CVE-2009-4487 is similar. This can be used in combination with other CVEs, such as CVE-2003-0063 or CVE-2003-0021.
Comment 3 Takashi Iwai 2018-03-23 11:24:27 UTC
I'd follow the decision of other distros: it's no real security issue in git per se.

Back to security team.
Comment 4 Karol Babioch 2018-03-23 12:30:29 UTC
We do not intend to fix this, since it has no real security impact.