Bug 1168930 – VUL-0: CVE-2020-5260: git: credentials leak via newline characters in URLs

Bug 1168930 - (CVE-2020-5260) VUL-0: CVE-2020-5260: git: credentials leak via newline characters in URLs

(CVE-2020-5260)
Summary:	VUL-0: CVE-2020-5260: git: credentials leak via newline characters in URLs

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Markéta Machová
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/256737/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-04-08 06:17 UTC by Wolfgang Frisch
Modified:	2021-07-29 10:18 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Wolfgang Frisch 2020-04-08 10:12:06 UTC

The Git project will release new versions on Tuesday, April 14th, 2020,
at or around 11:00am PDT (6:00pm UTC). Attached is a Git bundle which
you can fetch into a clone of 'https://github.com/git/git' via:

 $ git fetch /path/to/git_cve_2020_5260.bundle 'refs/tags/*:refs/tags/*'

containing the tags for versions v2.26.1, v2.25.3, v2.24.2, v2.23.2,
v2.22.3, v2.21.2, v2.20.3, v2.19.4, v2.18.3, and v2.17.4.

You can verify with `git tag -v <tag>` that the versions were signed by
the Git maintainer, using the same GPG key as v2.26.0.

Please use these tags to prepare `git` packages for your various
distributions, using the appropriate tagged versions.

In the case that you need to backport this fix to earlier versions,
please cherry-pick 9a6bbee800 (credential: avoid writing values with
newlines, 2020-03-11). The additional patches are nice-to-have, but are
not strictly necessary. The test case in 't0300-credentials.sh' can help
verify the cherry-pick's correctness.

The addressed issue is:

* CVE-2020-5260:
  With a crafted URL that contains a newline in it, the credential
  helper machinery can be fooled to give credential information for a
  wrong host.  The attack has been made impossible by forbidding a
  newline character in any value passed via the credential protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.

Comment 11 Andreas Stieger 2020-04-14 18:54:36 UTC

https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
https://github.com/git/git/commit/17f1c0b8c7e447aa62f85dc355bb48133d2812f2
https://github.com/git/git/commit/c716fe4bd917e013bf376a678b3a924447777b2d
https://github.com/git/git/commit/07259e74ec1237c836874342c65650bdee8a3993

Comment 12 Swamp Workflow Management 2020-04-14 19:20:11 UTC

This is an autogenerated message for OBS integration:
This bug (1168930) was mentioned in
https://build.opensuse.org/request/show/793953 Factory / git

Comment 13 Swamp Workflow Management 2020-04-14 22:19:21 UTC

SUSE-SU-2020:0992-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1167890,1168930
CVE References: CVE-2020-5260
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE OpenStack Cloud 8 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE OpenStack Cloud 7 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
SUSE Enterprise Storage 5 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1
HPE Helion Openstack 8 (src):    git-2.26.0-27.27.1, pcre2-10.34-1.3.1, perl-CGI-4.38-1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2020-04-14 22:22:19 UTC

SUSE-SU-2020:0991-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1168930
CVE References: CVE-2020-5260
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    git-2.16.4-3.20.1
SUSE Linux Enterprise Server 15-LTSS (src):    git-2.16.4-3.20.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.16.4-3.20.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.16.4-3.20.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.16.4-3.20.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    git-2.16.4-3.20.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    git-2.16.4-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Andreas Stieger 2020-04-15 08:27:48 UTC

Will this be fixed in SUSE:SLE-15-SP2:GA/git?

Comment 16 Robert Frohl 2020-04-15 08:34:51 UTC

(In reply to Andreas Stieger from comment #15)
> Will this be fixed in SUSE:SLE-15-SP2:GA/git?

afaik this is currently synced once a week. Should be imported with the sync in the coming weekend

Comment 17 Swamp Workflow Management 2020-04-16 13:16:51 UTC

openSUSE-SU-2020:0524-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1168930
CVE References: CVE-2020-5260
Sources used:
openSUSE Leap 15.1 (src):    git-2.16.4-lp151.4.6.1

Comment 23 Swamp Workflow Management 2020-04-28 10:38:04 UTC

SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.26.1-3.25.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Swamp Workflow Management 2020-05-01 22:28:56 UTC

openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
openSUSE Leap 15.1 (src):    git-2.26.1-lp151.4.9.1

Comment 27 Markéta Machová 2020-05-18 09:15:18 UTC

"Spring bug cleanup": I think this is fixed.

Comment 28 Markéta Machová 2020-05-18 09:15:47 UTC

FIXED, I say...

Comment 30 OBSbugzilla Bot 2020-06-24 17:20:13 UTC

This is an autogenerated message for OBS integration:
This bug (1168930) was mentioned in
https://build.opensuse.org/request/show/816877 15.2 / git

Comment 31 Swamp Workflow Management 2021-07-29 10:16:57 UTC

openSUSE-SU-2021:2555-1: An update that solves one vulnerability, contains two features and has two fixes is now available.

Category: security (moderate)
Bug References: 1168930,1183026,1183580
CVE References: CVE-2021-21300
JIRA References: SLE-17838,SLE-18152
Sources used:
openSUSE Leap 15.3 (src):    git-2.31.1-10.3.1

Comment 32 Swamp Workflow Management 2021-07-29 10:18:24 UTC

SUSE-SU-2021:2555-1: An update that solves one vulnerability, contains two features and has two fixes is now available.

Category: security (moderate)
Bug References: 1168930,1183026,1183580
CVE References: CVE-2021-21300
JIRA References: SLE-17838,SLE-18152
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    git-2.31.1-10.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    git-2.31.1-10.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.