ASA-2019-00660 – Git: Submodule update command execution


Allele Security Alert

ASA-2019-00660

Identifier(s)

ASA-2019-00660, CVE-2019-19604

Title

Submodule update command execution

Vendor(s)

the Git project

Product(s)

Git

Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2

The vulnerability was introduced in v2.20.0-rc0

Git versions since the following commit:

submodule–helper: introduce new update-module-mode helper
https://git.kernel.org/pub/scm/git/git.git/commit/?id=ee69b2a9

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2

Git versions with the following commits applied:

submodule: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308

fsck: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0

submodule: defend against submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19

Proof of concept

Yes

Description

Arbitrary command execution is possible in Git because a “git submodule update” operation can run commands found in the .gitmodules file of a malicious repository.

Technical details

Unknown

Credits

Joern Schneeweisz (GitLab Security Research Team)

Reference(s)

[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905

add git submodule advisory for CVE-2019-19604
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md

submodule: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308

fsck: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0

submodule: defend against submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19

submodule–helper: introduce new update-module-mode helper
https://git.kernel.org/pub/scm/git/git.git/commit/?id=ee69b2a90c5031bffb3341c5e50653a6ecca89ac

submodule–helper: introduce new update-module-mode helper
https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac

Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt

Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt

Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt

Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt

Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt

CVE-2019-19604
https://security.archlinux.org/CVE-2019-19604

CVE-2019-19604 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-19604

CVE-2019-19604 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19604.html

CVE-2019-19604 | SUSE
https://www.suse.com/security/cve/CVE-2019-19604

CVE-2019-19604
https://security-tracker.debian.org/tracker/CVE-2019-19604

CVE-2019-19604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604

CVE-2019-19604
https://nvd.nist.gov/vuln/detail/CVE-2019-19604

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.