git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules

Status changed to 'Confirmed' because the bug affects multiple users.

DSA-4212-1
https://www.debian.org/security/2018/dsa-4212

The Ubuntu repo still provides the outdated git version 2.7.4.

This could be checked by running:

$ sudo apt-get update
$ sudo apt-cache policy git

This should be fixed with high priority.

Added CVE-2018-11233 because git before 2.13.7 is affctected by that bug as well.

Workaround: add stable repo from git-scm to get a fixed version

$ add-apt-repository ppa:git-core/ppa
$ apt update
$ apt install git

(from https://git-scm.com/download/linux )

Um, why hasn't Ubuntu released fixes yet? Ubuntu is usually much better about getting security fixes out quickly. What's the hold-up here?

There are CI systems for which the workaround can't be used. Do you have a patch timeline?

It looks like the fix is currently in cosmic-proposed.
https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1

On Sat, Jun 02, 2018 at 01:22:36AM -0000, Anders Kaseorg wrote:
> It looks like the fix is currently in cosmic-proposed.
> https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1

The -proposed pocket in the developement release is not intended for
human consumption: anything and everything gets pushed through that,
and is released to the devel release when autopackage tests pass.

The security updates are being prepared in the Ubuntu Security Proposed
PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

I do not know the state of these packages, so please use them at your
own risk, but should you choose to use these packages, feedback on your
experience here may be helpful to us.

Thanks

As Seth said, I have now made packages for trusty through bionic available in the Ubuntu Security Proposed PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages . They are awaiting testing, so please do not use them on data you care about; however, testing feedback from people would be appreciated.

Thanks!

Is there a git diff available for the change?

OK found it: http://launchpadlibrarian.net/372600366/git_1%3A2.17.0-1ubuntu1_1%3A2.17.1-1ubuntu1.diff.gz

This bug was fixed in the package git - 1:1.9.1-1ubuntu0.8

---------------
git (1:1.9.1-1ubuntu0.8) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0005-submodule-config-verify-submodule-names-as-paths.patch
    - 0018-fsck-simplify-.git-check.patch
    - 0020-fsck-actually-fsck-blob-data.patch
    - 0025-fsck-detect-gitmodules-files.patch
    - 0026-fsck-check-.gitmodules-content.patch
    - 0027-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0028-unpack-objects-call-fsck_finish-after-fscking-objects.patch
    - 0029-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0006-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
  * debian/rules: ensure added tests are executable.
    - 0001-apply-reject-input-that-touches-outside-the-working-a.patch
    - 0002-apply-do-not-read-from-the-filesystem-under-index.patch
    - 0003-apply-do-not-read-from-beyond-a-symbolic-link.patch
    - 0004-apply-do-not-touch-a-file-beyond-a-symbolic-link.patch
    - 0007-is_hfs_dotgit-match-other-.git-files.patch
    - 0008-is_ntfs_dotgit-match-other-.git-files.patch
    - 0009-skip_prefix-add-case-insensitive-variant.patch
    - 0010-verify_path-drop-clever-fallthrough.patch
    - 0011-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0012-update-index-stat-updated-files-earlier.patch
    - 0013-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0014-sha1_file-add-read_loose_object-function.patch
    - 0015-fsck-drop-inode-sorting-code.patch
    - 0016-fsck-parse-loose-object-paths-directly.patch
    - 0017-index-pack-make-fsck-error-message-more-specific.patch
    - 0019-fsck_object-allow-passing-object-data-separately-from.patch
    - 0021-add-a-hashtable-implementation-that-supports-O-1-rem.patch
    - 0022-hashmap.h-use-unsigned-int-for-hash-codes-everywhere.patch
    - 0023-hashmap-factor-out-getting-a-hash-code-from-a-SHA1.patch
    - 0024-hashmap-add-simplified-hashmap_get_from_hash-API.patch
    - 0030-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * move patches from debian/diff to quilt debian/patch/, to avoid
    conflicts and overlooking already added patches
  * Thanks to Jonathan Nieder <email address hidden> of Debian for
    backporting to 2.1.x.

 -- Steve Beattie <email address hidden> Mon, 04 Jun 2018 10:56:07 -0700

This bug was fixed in the package git - 1:2.14.1-1ubuntu4.1

---------------
git (1:2.14.1-1ubuntu4.1) artful-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0001-submodule-config-verify-submodule-names-as-paths.patch
    - 012-fsck-simplify-.git-check.patch
    - 013-fsck-actually-fsck-blob-data.patch
    - 014-fsck-detect-gitmodules-files.patch
    - 015-fsck-check-.gitmodules-content.patch
    - 016-fsck-call-fsck_finish-after-fscking-objects.patch
    - 017-unpack-objects-call-fsck_finish-after-fscking-object.patch
    - 018-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
    - 003-is_hfs_dotgit-match-other-.git-files.patch
    - 004-is_ntfs_dotgit-match-other-.git-files.patch
    - 005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
    - 006-skip_prefix-add-case-insensitive-variant.patch
    - 007-verify_path-drop-clever-fallthrough.patch
    - 008-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 009-update-index-stat-updated-files-earlier.patch
    - 010-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 011-index-pack-make-fsck-error-message-more-specific.patch
    - 019-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * debian/rules: ensure added tests are executable.

 -- Steve Beattie <email address hidden> Thu, 31 May 2018 22:52:33 -0700

This bug was fixed in the package git - 1:2.17.1-1ubuntu0.1

---------------
git (1:2.17.1-1ubuntu0.1) bionic-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via submodule names
    in .gitsubmodules.
    - CVE-2018-11235
  * SECURITY UPDATE: out-of-bounds memory when sanity-checking
    pathnames on NTFS
    - CVE-2018-11233
  * Merge from Debian (LP: #1774061). Remaining changes:
    - debian/control: build against pcre v3 only
    - debian/rules: s390x libpcre3 library has JIT disabled, set
      NO_LIBPCRE1_JIT on that arch to stop the build from failing.

git (1:2.17.1-1) unstable; urgency=high

  * new upstream point release to fix CVE-2018-11235, arbitary code
    execution via submodule names in .gitmodules (see RelNotes/2.17.1.txt).

 -- Steve Beattie <email address hidden> Thu, 31 May 2018 10:50:28 -0700

This bug was fixed in the package git - 1:2.7.4-0ubuntu1.4

---------------
git (1:2.7.4-0ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0014-fsck-simplify-.git-check.patch
    - 0015-fsck-actually-fsck-blob-data.patch
    - 0016-fsck-detect-gitmodules-files.patch
    - 0017-fsck-check-.gitmodules-content.patch
    - 0018-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0019-unpack-objects-call-fsck_finish-after-fscking-object.patch
    - 0020-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
    - 0003-is_hfs_dotgit-match-other-.git-files.patch
    - 0004-is_ntfs_dotgit-match-other-.git-files.patch
    - 0005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
    - 0006-skip_prefix-add-case-insensitive-variant.patch
    - 0007-verify_path-drop-clever-fallthrough.patch
    - 0008-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0009-update-index-stat-updated-files-earlier.patch
    - 0010-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0011-sha1_file-add-read_loose_object-function.patch
    - 0012-fsck-parse-loose-object-paths-directly.patch
    - 0013-index-pack-make-fsck-error-message-more-specific.patch
    - 0021-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * debian/rules: ensure added tests are executable.

 -- Steve Beattie <email address hidden> Fri, 01 Jun 2018 23:44:15 -0700

2.17.1-1ubuntu1 hasn’t migrated from cosmic-proposed, so this should still be Fix Committed, not Fix Released.

Is there a special reason why git does not get updated to 2.17.1 for xenial?

Jan: It’s not special. As a rule, stable releases almost never get version bumps outside of a handful of prominent packages that can’t be supported securely any other way (e.g. Firefox). Instead, individual security patches are backported. https://wiki.ubuntu.com/StableReleaseUpdates

git 2.7.4-0ubuntu1.4 in xenial-security has the security fix. If you want 2.17.1 in xenial, use the PPA (https://launchpad.net/~git-core/+archive/ubuntu/ppa).