Allele Security Alert
ASA-2019-00661
Identifier(s)
ASA-2019-00661, CVE-2019-1348
Title
Arbitrary path overwriting via export-marks command option
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6
Git versions with the following commit:
fast-import: disallow “feature export-marks” by default
https://git.kernel.org/pub/scm/git/git.git/commit/?id=68061e3470210703cb15594194718d35094afdc0
Proof of concept
Unknown
Description
The –export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=… and it allows overwriting arbitrary paths.
Technical details
Unknown
Credits
Unknown
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
fast-import: disallow “feature export-marks” by default
https://git.kernel.org/pub/scm/git/git.git/commit/?id=68061e3470210703cb15594194718d35094afdc0
fast-import: disallow “feature export-marks” by default
https://github.com/git/git/commit/68061e3470210703cb15594194718d35094afdc0
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt
Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt
Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt
Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt
Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt
Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt
CVE-2019-1348
https://security.archlinux.org/CVE-2019-1348
CVE-2019-1348 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1348
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1348.html
CVE-2019-1348
https://security-tracker.debian.org/tracker/CVE-2019-1348
CVE-2019-1348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348
CVE-2019-1348
https://nvd.nist.gov/vuln/detail/CVE-2019-1348
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 12, 2019