Lucene search

K
amazonAmazonALAS2-2023-1943
HistoryFeb 17, 2023 - 12:11 a.m.

Important: git

2023-02-1700:11:00
alas.aws.amazon.com
9
git security vulnerability
arbitrary file overwrite
recursive cloning
remote code execution

EPSS

0.087

Percentile

94.6%

Issue Overview:

A flaw was found in the git fast-import command where it provides the export-marks feature that may unexpectedly overwrite arbitrary paths. An attacker can abuse this flaw if they can control the input passed to the fast-import command by using the export-marks feature and overwrite arbitrary files, but would not have complete control on the content of the file. (CVE-2019-1348)

An improper input validation flaw was discovered in git in the way it handles git submodules. A remote attacker could abuse this flaw to trick a victim user into recursively cloning a malicious repository, which, under certain circumstances, could fool git into using the same git directory twice and potentially cause remote code execution. (CVE-2019-1349)

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. (CVE-2019-1350)

A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka ‘Git for Visual Studio Tampering Vulnerability’. (CVE-2019-1351)

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387. (CVE-2019-1352)

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as “WSL”) while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. (CVE-2019-1353)

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387. (CVE-2019-1354)

A flaw was discovered where git improperly validates submodules’ names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule’s metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim’s machine. (CVE-2019-1387)

A security bypass was discovered in git, which allows arbitrary commands to be executed during the update of git submodules. A remote attacker may trick a victim user into cloning a malicious repository that initially looks fine, allowing access to bypass the security mechanisms that prevent the execution of arbitrary commands during the submodule initialization. After following an update of the repository and the submodules done by the victim user, vulnerable versions of git may use the update setting in the .gitmodules file and execute arbitrary commands. (CVE-2019-19604)

Affected Packages:

git

Issue Correction:
Run yum update git to update your system.

New Packages:

aarch64:  
    git-2.23.1-0.amzn2.0.2.aarch64  
    git-core-2.23.1-0.amzn2.0.2.aarch64  
    git-daemon-2.23.1-0.amzn2.0.2.aarch64  
    git-subtree-2.23.1-0.amzn2.0.2.aarch64  
    git-debuginfo-2.23.1-0.amzn2.0.2.aarch64  
  
i686:  
    git-2.23.1-0.amzn2.0.2.i686  
    git-core-2.23.1-0.amzn2.0.2.i686  
    git-daemon-2.23.1-0.amzn2.0.2.i686  
    git-subtree-2.23.1-0.amzn2.0.2.i686  
    git-debuginfo-2.23.1-0.amzn2.0.2.i686  
  
noarch:  
    git-all-2.23.1-0.amzn2.0.2.noarch  
    git-core-doc-2.23.1-0.amzn2.0.2.noarch  
    git-cvs-2.23.1-0.amzn2.0.2.noarch  
    git-email-2.23.1-0.amzn2.0.2.noarch  
    gitk-2.23.1-0.amzn2.0.2.noarch  
    gitweb-2.23.1-0.amzn2.0.2.noarch  
    git-gui-2.23.1-0.amzn2.0.2.noarch  
    git-instaweb-2.23.1-0.amzn2.0.2.noarch  
    git-p4-2.23.1-0.amzn2.0.2.noarch  
    perl-Git-2.23.1-0.amzn2.0.2.noarch  
    perl-Git-SVN-2.23.1-0.amzn2.0.2.noarch  
    git-svn-2.23.1-0.amzn2.0.2.noarch  
  
src:  
    git-2.23.1-0.amzn2.0.2.src  
  
x86_64:  
    git-2.23.1-0.amzn2.0.2.x86_64  
    git-core-2.23.1-0.amzn2.0.2.x86_64  
    git-daemon-2.23.1-0.amzn2.0.2.x86_64  
    git-subtree-2.23.1-0.amzn2.0.2.x86_64  
    git-debuginfo-2.23.1-0.amzn2.0.2.x86_64  

Additional References

Red Hat: CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604

Mitre: CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604