git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules

Bug #1774061 reported by Török Edwin on 2018-05-29
300
This bug affects 8 people
Affects Status Importance Assigned to Milestone
git (Ubuntu)
Undecided
Unassigned

Bug Description

Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 contain a fix for CVE 2018-11235 announced here:
https://<email address hidden>/

Debian has fixed packages here: https://security-tracker.debian.org/tracker/CVE-2018-11235

I could not find the fixed packages for Ubuntu, the Ubuntu link on the above debian tracker results in a 404, and there is no newer package available in the repository for 18.04 LTS.

CVE References

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in git (Ubuntu):
status: New → Confirmed
summary: - git: CVE 2018-11235 arbitary code execution via submodule names in
+ git: CVE-2018-11235 arbitary code execution via submodule names in
.gitmodules
Jan Bauer (jbauersmt) wrote :

The Ubuntu repo still provides the outdated git version 2.7.4.

This could be checked by running:

$ sudo apt-get update
$ sudo apt-cache policy git

This should be fixed with high priority.

Jan Bauer (jbauersmt) wrote :

Added CVE-2018-11233 because git before 2.13.7 is affctected by that bug as well.

Jan Bauer (jbauersmt) wrote :

Workaround: add stable repo from git-scm to get a fixed version

$ add-apt-repository ppa:git-core/ppa
$ apt update
$ apt install git

(from https://git-scm.com/download/linux )

Jonathan Kamens (jik) wrote :

Um, why hasn't Ubuntu released fixes yet? Ubuntu is usually much better about getting security fixes out quickly. What's the hold-up here?

Arya Popescu (elfakyn) wrote :

There are CI systems for which the workaround can't be used. Do you have a patch timeline?

Anders Kaseorg (andersk) wrote :

It looks like the fix is currently in cosmic-proposed.
https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1

Changed in git (Ubuntu):
status: Confirmed → Fix Committed

On Sat, Jun 02, 2018 at 01:22:36AM -0000, Anders Kaseorg wrote:
> It looks like the fix is currently in cosmic-proposed.
> https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1

The -proposed pocket in the developement release is not intended for
human consumption: anything and everything gets pushed through that,
and is released to the devel release when autopackage tests pass.

The security updates are being prepared in the Ubuntu Security Proposed
PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

I do not know the state of these packages, so please use them at your
own risk, but should you choose to use these packages, feedback on your
experience here may be helpful to us.

Thanks

Steve Beattie (sbeattie) wrote :

As Seth said, I have now made packages for trusty through bionic available in the Ubuntu Security Proposed PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages . They are awaiting testing, so please do not use them on data you care about; however, testing feedback from people would be appreciated.

Thanks!

Jan Bauer (jbauersmt) wrote :

Is there a git diff available for the change?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:1.9.1-1ubuntu0.8

---------------
git (1:1.9.1-1ubuntu0.8) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0005-submodule-config-verify-submodule-names-as-paths.patch
    - 0018-fsck-simplify-.git-check.patch
    - 0020-fsck-actually-fsck-blob-data.patch
    - 0025-fsck-detect-gitmodules-files.patch
    - 0026-fsck-check-.gitmodules-content.patch
    - 0027-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0028-unpack-objects-call-fsck_finish-after-fscking-objects.patch
    - 0029-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0006-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
  * debian/rules: ensure added tests are executable.
    - 0001-apply-reject-input-that-touches-outside-the-working-a.patch
    - 0002-apply-do-not-read-from-the-filesystem-under-index.patch
    - 0003-apply-do-not-read-from-beyond-a-symbolic-link.patch
    - 0004-apply-do-not-touch-a-file-beyond-a-symbolic-link.patch
    - 0007-is_hfs_dotgit-match-other-.git-files.patch
    - 0008-is_ntfs_dotgit-match-other-.git-files.patch
    - 0009-skip_prefix-add-case-insensitive-variant.patch
    - 0010-verify_path-drop-clever-fallthrough.patch
    - 0011-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0012-update-index-stat-updated-files-earlier.patch
    - 0013-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0014-sha1_file-add-read_loose_object-function.patch
    - 0015-fsck-drop-inode-sorting-code.patch
    - 0016-fsck-parse-loose-object-paths-directly.patch
    - 0017-index-pack-make-fsck-error-message-more-specific.patch
    - 0019-fsck_object-allow-passing-object-data-separately-from.patch
    - 0021-add-a-hashtable-implementation-that-supports-O-1-rem.patch
    - 0022-hashmap.h-use-unsigned-int-for-hash-codes-everywhere.patch
    - 0023-hashmap-factor-out-getting-a-hash-code-from-a-SHA1.patch
    - 0024-hashmap-add-simplified-hashmap_get_from_hash-API.patch
    - 0030-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * move patches from debian/diff to quilt debian/patch/, to avoid
    conflicts and overlooking already added patches
  * Thanks to Jonathan Nieder <email address hidden> of Debian for
    backporting to 2.1.x.

 -- Steve Beattie <email address hidden> Mon, 04 Jun 2018 10:56:07 -0700

Changed in git (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.14.1-1ubuntu4.1

---------------
git (1:2.14.1-1ubuntu4.1) artful-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0001-submodule-config-verify-submodule-names-as-paths.patch
    - 012-fsck-simplify-.git-check.patch
    - 013-fsck-actually-fsck-blob-data.patch
    - 014-fsck-detect-gitmodules-files.patch
    - 015-fsck-check-.gitmodules-content.patch
    - 016-fsck-call-fsck_finish-after-fscking-objects.patch
    - 017-unpack-objects-call-fsck_finish-after-fscking-object.patch
    - 018-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
    - 003-is_hfs_dotgit-match-other-.git-files.patch
    - 004-is_ntfs_dotgit-match-other-.git-files.patch
    - 005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
    - 006-skip_prefix-add-case-insensitive-variant.patch
    - 007-verify_path-drop-clever-fallthrough.patch
    - 008-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 009-update-index-stat-updated-files-earlier.patch
    - 010-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 011-index-pack-make-fsck-error-message-more-specific.patch
    - 019-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * debian/rules: ensure added tests are executable.

 -- Steve Beattie <email address hidden> Thu, 31 May 2018 22:52:33 -0700

Changed in git (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.17.1-1ubuntu0.1

---------------
git (1:2.17.1-1ubuntu0.1) bionic-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via submodule names
    in .gitsubmodules.
    - CVE-2018-11235
  * SECURITY UPDATE: out-of-bounds memory when sanity-checking
    pathnames on NTFS
    - CVE-2018-11233
  * Merge from Debian (LP: #1774061). Remaining changes:
    - debian/control: build against pcre v3 only
    - debian/rules: s390x libpcre3 library has JIT disabled, set
      NO_LIBPCRE1_JIT on that arch to stop the build from failing.

git (1:2.17.1-1) unstable; urgency=high

  * new upstream point release to fix CVE-2018-11235, arbitary code
    execution via submodule names in .gitmodules (see RelNotes/2.17.1.txt).

 -- Steve Beattie <email address hidden> Thu, 31 May 2018 10:50:28 -0700

Changed in git (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.7.4-0ubuntu1.4

---------------
git (1:2.7.4-0ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0014-fsck-simplify-.git-check.patch
    - 0015-fsck-actually-fsck-blob-data.patch
    - 0016-fsck-detect-gitmodules-files.patch
    - 0017-fsck-check-.gitmodules-content.patch
    - 0018-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0019-unpack-objects-call-fsck_finish-after-fscking-object.patch
    - 0020-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
    - 0003-is_hfs_dotgit-match-other-.git-files.patch
    - 0004-is_ntfs_dotgit-match-other-.git-files.patch
    - 0005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
    - 0006-skip_prefix-add-case-insensitive-variant.patch
    - 0007-verify_path-drop-clever-fallthrough.patch
    - 0008-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0009-update-index-stat-updated-files-earlier.patch
    - 0010-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0011-sha1_file-add-read_loose_object-function.patch
    - 0012-fsck-parse-loose-object-paths-directly.patch
    - 0013-index-pack-make-fsck-error-message-more-specific.patch
    - 0021-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * debian/rules: ensure added tests are executable.

 -- Steve Beattie <email address hidden> Fri, 01 Jun 2018 23:44:15 -0700

Changed in git (Ubuntu):
status: Fix Committed → Fix Released
Anders Kaseorg (andersk) wrote :

2.17.1-1ubuntu1 hasn’t migrated from cosmic-proposed, so this should still be Fix Committed, not Fix Released.

Steve Beattie (sbeattie) on 2018-06-06
Changed in git (Ubuntu):
status: Fix Released → Fix Committed
Jan Bauer (jbauersmt) wrote :

Is there a special reason why git does not get updated to 2.17.1 for xenial?

Anders Kaseorg (andersk) wrote :

Jan: It’s not special. As a rule, stable releases almost never get version bumps outside of a handful of prominent packages that can’t be supported securely any other way (e.g. Firefox). Instead, individual security patches are backported. https://wiki.ubuntu.com/StableReleaseUpdates

git 2.7.4-0ubuntu1.4 in xenial-security has the security fix. If you want 2.17.1 in xenial, use the PPA (https://launchpad.net/~git-core/+archive/ubuntu/ppa).

Jeremy Bicha (jbicha) on 2018-10-15
Changed in git (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers