SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Git Vendors:   kernel.org
Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1040991
SecurityTracker URL:  http://securitytracker.com/id/1040991
CVE Reference:   CVE-2018-11233, CVE-2018-11235   (Links to External Site)
Date:  May 29 2018
Impact:   Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in Git. A remote user can execute arbitrary code on the target system. A user can obtain portions of system memory.

The software does not properly validate submodule "names" supplied via the untrusted .gitmodules file when appending them to the '$GIT_DIR/modules' directory. A remote repository can return specially crafted data to create or overwrite files on the target user's system when the repository is cloned, causing arbitrary code to be executed on the target user's system [CVE-2018-11235].

Etienne Stalmans reported this vulnerability.

A use can exploit an input validation flaw in processing path names on NTFS-based systems to read random memory contents [CVE-2018-11233].

Impact:   A remote user can execute arbitrary code on the target system.

A user can obtain portions of system memory.

Solution:   The vendor has issued a fix (2.17.1).

The vendor advisory is available at:

https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.1.txt

Vendor URL:  git-scm.com (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 6 2018 (Ubuntu Issues Fix) Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.10, and 18.04 LTS.
Jun 13 2018 (Apple Issues Fix for Apple Xcode) Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
Apple has issued a fix for Apple Xcode.
Jun 21 2018 (Red Hat Issues Fix) Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Jun 21 2018 (Oracle Issues Fix for Oracle Linux) Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Linux 7.



 Source Message Contents

Subject:  [ANNOUNCE] Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4

The latest maintenance release Git v2.17.1 and updates to older
maintenance tracks are now available at the usual places.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.17.1'
tag and the 'maint' branch that the tag points at, as well as the
v2.13.7, v2.14.4, v2.15.2 and v2.16.4 tags:

  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://github.com/gitster/git

----------------------------------------------------------------

Git v2.17.1 Release Notes
=========================

Fixes since v2.17
-----------------

 * This release contains the same fixes made in the v2.13.7 version of
   Git, covering CVE-2018-11233 and 11235, and forward-ported to
   v2.14.4, v2.15.2 and v2.16.4 releases.  See release notes to
   v2.13.7 for details.

 * In addition to the above fixes, this release adds support on the
   server side that reject pushes to repositories that attempt to
   create such problematic .gitmodules file etc. as tracked
   contents, to help hosting sites protect their customers with
   older clients by preventing malicious contents from spreading.
   This is enabled by the same receive.fsckObjects configuration on
   the server side as other security and sanity related checks
   (e.g. rejecting tree entry ".GIT" in a wrong case as tracked
   contents, targetting victims on case insensitive systems) that
   have already been implemented in the past releases.  It is
   recommended to double check your configuration if you are hosting
   contents for other people.


Git v2.13.7 Release Notes
=========================

Fixes since v2.13.6
-------------------

 * Submodule "names" come from the untrusted .gitmodules file, but we
   blindly append them to $GIT_DIR/modules to create our on-disk repo
   paths. This means you can do bad things by putting "../" into the
   name. We now enforce some rules for submodule names which will cause
   Git to ignore these malicious names (CVE-2018-11235).

   Credit for finding this vulnerability and the proof of concept from
   which the test script was adapted goes to Etienne Stalmans.

 * It was possible to trick the code that sanity-checks paths on NTFS
   into reading random piece of memory (CVE-2018-11233).

Credit for fixing for these bugs goes to Jeff King, Johannes
Schindelin and others.

----------------------------------------------------------------
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC