Lucene search

K
archlinuxArchLinuxASA-201912-5
HistoryDec 18, 2019 - 12:00 a.m.

[ASA-201912-5] libgit2: arbitrary code execution

2019-12-1800:00:00
security.archlinux.org
14

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.064 Low

EPSS

Percentile

93.5%

Arch Linux Security Advisory ASA-201912-5

Severity: High
Date : 2019-12-18
CVE-ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1387
Package : libgit2
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1075

Summary

The package libgit2 before version 1:0.28.4-1 is vulnerable to
arbitrary code execution.

Resolution

Upgrade to 1:0.28.4-1.

pacman -Syu “libgit2>=1:0.28.4-1”

The problems have been fixed upstream in version 0.28.4.

Workaround

None.

Description

  • CVE-2019-1348 (arbitrary code execution)

A security issue has been found in git before 2.24.1 where the
–export-marks option of git fast-import is exposed also via the in-
stream command feature export-marks=… and it allows overwriting
arbitrary paths.

  • CVE-2019-1349 (arbitrary code execution)

A security issue has been found in git before 2.24.1 when using
submodule paths that refer to the same file system entity (e.g. using
the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where
files would be written to the .git/ directory using a synonymous
directory name), it was possible to “squat” on the git~1 shortname on
NTFS drives, opening attacks via git~2. This also affects Git when
run as a Linux application inside the Windows Subsystem for Linux.

  • CVE-2019-1352 (arbitrary code execution)

A security issue has been found in git before 2.24.1 where it was
unaware of NTFS Alternate Data Streams, allowing files inside the .git/
directory to be overwritten during a clone.

  • CVE-2019-1387 (arbitrary code execution)

A security issue has been found in git before 2.24.1 where recursive
clones are currently affected by a vulnerability that is caused by too-
lax validation of submodule names, allowing very targeted attacks via
remote code execution in recursive clones.

Impact

A remote attacker can overwrite files and execute code by abusing NTFS
path, submodules and fast-import.

References

https://github.com/git/git/commit/68061e3470210703cb15594194718d35094afdc0
https://lkml.org/lkml/2019/12/10/905
https://github.com/git/git/commit/0060fd1511b94c918928fa3708f69a3f33895a4a
https://github.com/git/git/commit/7c3745fc6185495d5765628b4dfe1bd2c25a2981
https://github.com/git/git/commit/a8dee3ca610f5a1d403634492136c887f83b59d2
https://security.archlinux.org/CVE-2019-1348
https://security.archlinux.org/CVE-2019-1349
https://security.archlinux.org/CVE-2019-1352
https://security.archlinux.org/CVE-2019-1387

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylibgit2< 1:0.28.4-1UNKNOWN

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.064 Low

EPSS

Percentile

93.5%