Bugzilla – Bug 1095219
VUL-0: CVE-2018-11235: git,libgit2: arbitrary code execution when recursively cloning a malicious repository
Last modified: 2020-05-01 22:27:04 UTC
rh#1583862 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. References: https://bugzilla.redhat.com/show_bug.cgi?id=1583862 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11235 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11235.html http://www.debian.org/security/2018/dsa-4212 https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/
FACTORY was already updated to 2.17.1. SLE15 / Leap 15.0 will be fixed via the update to 2.16.4. MR#165936 Leap 42.3 will be fixed via the update to 2.13.7. MR#613089 SLE12 and older need manual backports. Working on them.
This is an autogenerated message for OBS integration: This bug (1095219) was mentioned in https://build.opensuse.org/request/show/613089 42.3 / git https://build.opensuse.org/request/show/613093 Factory / git
SLE12 -> MR#165944
This is an autogenerated message for OBS integration: This bug (1095219) was mentioned in https://build.opensuse.org/request/show/613100 15.0 / git
openSUSE-SU-2018:1553-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1095218,1095219 CVE References: CVE-2018-11233,CVE-2018-11235 Sources used: openSUSE Leap 42.3 (src): git-2.13.7-13.1 openSUSE Leap 15.0 (src): git-2.16.4-lp150.2.3.1
SUSE-SU-2018:1566-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1095218,1095219 CVE References: CVE-2018-11233,CVE-2018-11235 Sources used: SUSE OpenStack Cloud 8 (src): git-2.12.3-27.14.1 SUSE OpenStack Cloud 7 (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Server 12-SP3 (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): git-2.12.3-27.14.1 SUSE Linux Enterprise Server 12-LTSS (src): git-2.12.3-27.14.1 SUSE Enterprise Storage 4 (src): git-2.12.3-27.14.1 SUSE CaaS Platform ALL (src): git-2.12.3-27.14.1 OpenStack Cloud Magnum Orchestration 7 (src): git-2.12.3-27.14.1 HPE Helion OpenStack 8 (src): git-2.12.3-27.14.1
For SLE11 and older, it's very tough to backport these fixes, as the code base has been changed too much. So I concluded that it's rather too risky to backport them forcibly, and leave them. Back to security team.
SUSE-SU-2018:1872-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1095218,1095219 CVE References: CVE-2018-11233,CVE-2018-11235 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): git-2.16.4-3.3.2 SUSE Linux Enterprise Module for Basesystem 15 (src): git-2.16.4-3.3.2
Also: libgit2 https://github.com/libgit2/libgit2/releases/tag/v0.27.1 https://github.com/libgit2/libgit2/releases/tag/v0.26.4
https://build.opensuse.org/request/show/621935
SUSE-SU-2018:2469-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1095219,1100612,1100613,1104641 CVE References: CVE-2018-10887,CVE-2018-10888,CVE-2018-11235,CVE-2018-15501 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): libgit2-0.26.6-3.5.2
openSUSE-SU-2018:2502-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1095219,1100612,1100613,1104641 CVE References: CVE-2018-10887,CVE-2018-10888,CVE-2018-11235,CVE-2018-15501 Sources used: openSUSE Leap 15.0 (src): libgit2-0.26.6-lp150.2.3.1
SUSE-SU-2018:1566-2: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1095218,1095219 CVE References: CVE-2018-11233,CVE-2018-11235 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): git-2.12.3-27.14.1
SUSE-SU-2018:3440-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1085256,1095219,1100612,1100613,1104641 CVE References: CVE-2018-10887,CVE-2018-10888,CVE-2018-11235,CVE-2018-15501,CVE-2018-8099 Sources used: SUSE Manager Server 3.2 (src): libgit2-0.24.1-7.6.1 SUSE Manager Server 3.1 (src): libgit2-0.24.1-7.6.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libgit2-0.24.1-7.6.1
openSUSE-SU-2018:3519-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1085256,1095219,1100612,1100613,1104641 CVE References: CVE-2018-10887,CVE-2018-10888,CVE-2018-11235,CVE-2018-15501,CVE-2018-8099 Sources used: openSUSE Leap 42.3 (src): libgit2-0.24.1-10.3.1
Reassigned to the new git package maintainer.
I somehow managed to apply these patches also to SLE11: SLE11-SP1 -> https://build.suse.de/request/show/176926
The git-1.6.0.2 in SLE-11_Update differs so much from git-1.7.12.4 in SLE-11-SP1_Update that I have serious troubles with applying the patches (for example, there is no ntfs or hfs support). I would be able to apply only some of the patches, and since the two CVE's vere closely connected, I am afraid that the fix will not be complete. Is this serious problem?
I got this bug also (at least partially) fixed on SLE11_Update. The removed commits were fixing another bug which does not affect such old version. The one fix I am puzzled about is not testing if we skip the worktree, but it looks like the code does not skip worktrees at all. https://build.suse.de/request/show/177251 Back to security team.
Done
SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936 CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): git-2.26.1-3.25.2 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): git-2.26.1-3.25.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): git-2.26.1-3.25.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936 CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 Sources used: openSUSE Leap 15.1 (src): git-2.26.1-lp151.4.9.1