CLD-418 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
git |
| Deficiency Type |
SECURITY |
| Date Created |
2018-05-29 21:54:24 |
| Date Last Modified |
2018-05-30 18:00:02 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in git-2.13.7-i686-1 |
| Cucumber 1.0 x86_64 | fixed in git-2.13.7-x86_64-1 |
| Cucumber 1.1 i686 |
fixed in git-2.13.7-i686-1 |
| Cucumber 1.1 x86_64 |
fixed in git-2.13.7-x86_64-1 |
Details:
=================================== Overview ===================================
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before
2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a
crafted .gitmodules file, a malicious project can execute an arbitrary script
on a machine that runs "git clone --recurse-submodules" because submodule
"names" are obtained from this file, and then appended to $GIT_DIR/modules,
leading to directory traversal with "../" in a name. Finally, post-checkout
hooks from a submodule are executed, bypassing the intended design in which
hooks are not obtained from a remote server.
================================ Initial Report ================================
From https://lkml.org/lkml/2018/5/29/889:
* Submodule "names" come from the untrusted .gitmodules file, but we
blindly append them to $GIT_DIR/modules to create our on-disk repo
paths. This means you can do bad things by putting "../" into the
name. We now enforce some rules for submodule names which will cause
Git to ignore these malicious names (CVE-2018-11235).
============================ Additional Information ============================
A much more in depth report can be found at
https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html.
================================= Our Analysis =================================
----- Affected Products -----
Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before
2.16.4, and 2.17.x before 2.17.1 are vulnerable. All version of branches prior
to 2.13.x are vulnerable. This includes git as originally packaged in Cucumber
Linux 1.0 and 1.1.
----- Scope and Impact of this Vulnerability -----
Allows for arbitrary remote code execution when a user clones a maliciously
crafted git repository.
----- Testing if you are Affected -----
Run the following commands in a temporary directory:
git init test && \
cd test && \
git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules
If you see the following in the output of these commands, git is not vulnerable.
Otherwise, it is:
error: Invalid path '.gitmodules'
fatal: git update-index: --cacheinfo cannot add .gitmodules
Source: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html
----- Fix for this Vulnerability -----
This vulnerability can be be upgrading to one of the following versions of git:
v2.13.7, v2.14.4, v2.15.2, v2.16.4 or v2.17.1.
We have not been able to find patches for older versions of git.
================================= Our Solution =================================
We have upgraded to git 2.13.7 on Cucumber Linux 1.0 and 1.1. We have upgraded
only to version 2.13.7 of git because that is the oldest branch that the fixes
are available for. Upgrading to a newer branch has the potential to break more
stuff, so we will make as small a version jump as possible.