Arch Linux Security Advisory ASA-201912-6 ========================================= Severity: High Date : 2019-12-18 CVE-ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1387 CVE-2019-19604 Package : git Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1073 Summary ======= The package git before version 2.24.1-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.24.1-1. # pacman -Syu "git>=2.24.1-1" The problems have been fixed upstream in version 2.24.1. Workaround ========== None. Description =========== - CVE-2019-1348 (arbitrary code execution) A security issue has been found in git before 2.24.1 where the --export-marks option of git fast-import is exposed also via the in- stream command feature export-marks=... and it allows overwriting arbitrary paths. - CVE-2019-1349 (arbitrary code execution) A security issue has been found in git before 2.24.1 when using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to "squat" on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux. - CVE-2019-1352 (arbitrary code execution) A security issue has been found in git before 2.24.1 where it was unaware of NTFS Alternate Data Streams, allowing files inside the .git/ directory to be overwritten during a clone. - CVE-2019-1387 (arbitrary code execution) A security issue has been found in git before 2.24.1 where recursive clones are currently affected by a vulnerability that is caused by too- lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. - CVE-2019-19604 (arbitrary code execution) A security issue has been found in git before 2.24.1, and it is now disallowed for `.gitmodules` to have entries that set `submodule..update=!command`. This fixes the vulnerability in Git v2.20.0 and later where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that. Impact ====== A remote attacker can overwrite files and execute code by abusing NTFS path, submodules and fast-import. References ========== https://github.com/git/git/commit/68061e3470210703cb15594194718d35094afdc0 https://lkml.org/lkml/2019/12/10/905 https://github.com/git/git/commit/0060fd1511b94c918928fa3708f69a3f33895a4a https://github.com/git/git/commit/7c3745fc6185495d5765628b4dfe1bd2c25a2981 https://github.com/git/git/commit/a8dee3ca610f5a1d403634492136c887f83b59d2 https://github.com/git/git/commit/c1547450748fcbac21675f2681506d2d80351a19 https://security.archlinux.org/CVE-2019-1348 https://security.archlinux.org/CVE-2019-1349 https://security.archlinux.org/CVE-2019-1352 https://security.archlinux.org/CVE-2019-1387 https://security.archlinux.org/CVE-2019-19604