CLD-418 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-11235 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) git
Deficiency Type SECURITY
Date Created 2018-05-29 21:54:24
Date Last Modified 2018-05-30 18:00:02

Version Specific Information:

Cucumber 1.0 i686fixed in git-2.13.7-i686-1
Cucumber 1.0 x86_64fixed in git-2.13.7-x86_64-1

Cucumber 1.1 i686 fixed in git-2.13.7-i686-1
Cucumber 1.1 x86_64 fixed in git-2.13.7-x86_64-1


=================================== Overview ===================================

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before
2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a
crafted .gitmodules file, a malicious project can execute an arbitrary script
on a machine that runs "git clone --recurse-submodules" because submodule
"names" are obtained from this file, and then appended to $GIT_DIR/modules,
leading to directory traversal with "../" in a name. Finally, post-checkout
hooks from a submodule are executed, bypassing the intended design in which
hooks are not obtained from a remote server. 

================================ Initial Report ================================


 * Submodule "names" come from the untrusted .gitmodules file, but we
   blindly append them to $GIT_DIR/modules to create our on-disk repo
   paths. This means you can do bad things by putting "../" into the
   name. We now enforce some rules for submodule names which will cause
   Git to ignore these malicious names (CVE-2018-11235).

============================ Additional Information ============================

A much more in depth report can be found at

================================= Our Analysis =================================

----- Affected Products -----
Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before
2.16.4, and 2.17.x before 2.17.1 are vulnerable. All version of branches prior
to 2.13.x are vulnerable. This includes git as originally packaged in Cucumber
Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for arbitrary remote code execution when a user clones a maliciously
crafted git repository.

----- Testing if you are Affected -----
Run the following commands in a temporary directory:

  git init test && \
  cd test && \
  git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules

If you see the following in the output of these commands, git is not vulnerable.
Otherwise, it is:

  error: Invalid path '.gitmodules'
  fatal: git update-index: --cacheinfo cannot add .gitmodules


----- Fix for this Vulnerability -----
This vulnerability can be be upgrading to one of the following versions of git:
v2.13.7, v2.14.4, v2.15.2, v2.16.4 or v2.17.1.

We have not been able to find patches for older versions of git.

================================= Our Solution =================================

We have upgraded to git 2.13.7 on Cucumber Linux 1.0 and 1.1. We have upgraded
only to version 2.13.7 of git because that is the oldest branch that the fixes
are available for. Upgrading to a newer branch has the potential to break more
stuff, so we will make as small a version jump as possible.