Allele Security Alert
ASA-2019-00660
Identifier(s)
ASA-2019-00660, CVE-2019-19604
Title
Submodule update command execution
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
The vulnerability was introduced in v2.20.0-rc0
Git versions since the following commit:
submodule–helper: introduce new update-module-mode helper
https://git.kernel.org/pub/scm/git/git.git/commit/?id=ee69b2a9
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git versions with the following commits applied:
submodule: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308
fsck: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0
submodule: defend against submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19
Proof of concept
Yes
Description
Arbitrary command execution is possible in Git because a “git submodule update” operation can run commands found in the .gitmodules file of a malicious repository.
Technical details
Unknown
Credits
Joern Schneeweisz (GitLab Security Research Team)
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
add git submodule advisory for CVE-2019-19604
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md
submodule: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308
fsck: reject submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0
submodule: defend against submodule.update = !command in .gitmodules
https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19
submodule–helper: introduce new update-module-mode helper
https://git.kernel.org/pub/scm/git/git.git/commit/?id=ee69b2a90c5031bffb3341c5e50653a6ecca89ac
submodule–helper: introduce new update-module-mode helper
https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
CVE-2019-19604
https://security.archlinux.org/CVE-2019-19604
CVE-2019-19604 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-19604
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19604.html
CVE-2019-19604 | SUSE
https://www.suse.com/security/cve/CVE-2019-19604
CVE-2019-19604
https://security-tracker.debian.org/tracker/CVE-2019-19604
CVE-2019-19604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604
CVE-2019-19604
https://nvd.nist.gov/vuln/detail/CVE-2019-19604
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 12, 2019