EulerOS 2.0 SP13 : git (EulerOS-SA-2025-2288)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(271351);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/24");

  script_cve_id(
    "CVE-2025-27613",
    "CVE-2025-46334",
    "CVE-2025-46835",
    "CVE-2025-48384",
    "CVE-2025-48386"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/09/15");

  script_name(english:"EulerOS 2.0 SP13 : git (EulerOS-SA-2025-2288)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the git packages installed, the EulerOS installation on the remote host is affected by the
following vulnerabilities :

    Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted
    repository and runs gitk without additional command arguments, files for which the user has write
    permission can be created and truncated. The option Support per-file encoding must have been enabled
    before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of
    this line is used in the main window (regardless of whether Support per-file encoding is enabled or not).
    This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and
    2.50.1.(CVE-2025-27613)

    Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can
    ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate
    design of Tcl on Windows, the search path when looking for an executable always includes the current
    directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the
    menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and
    2.50.1.(CVE-2025-46334)

    Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an
    untrusted repository and is tricked into editing a file located in a maliciously named directory in the
    repository, then Git GUI can create and overwrite files for which the user has write permission. This
    vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and
    2.50.1.(CVE-2025-46835)

    Git is a fast, scalable, distributed revision control system with an unusually rich command set that
    provides both high-level operations and full access to internals. When reading a config value, Git strips
    any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR
    are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if
    the submodule path contains a trailing CR, the altered path is read resulting in the submodule being
    checked out to an incorrect location. If a symlink exists that points the altered path to the submodule
    hooks directory, and the submodule contains an executable post-checkout hook, the script may be
    unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4,
    v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.(CVE-2025-48384)

    Git is a fast, scalable, distributed revision control system with an unusually rich command set that
    provides both high-level operations and full access to internals. The wincred credential helper uses a
    static buffer (target) as a unique key for storing and comparing against internal storage. This credential
    helper does not properly bounds check the available space remaining in the buffer before appending to it
    with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4,
    v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.(CVE-2025-48386)

Tenable has extracted the preceding description block directly from the EulerOS git security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2025-2288
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?db8de3c0");
  script_set_attribute(attribute:"solution", value:
"Update the affected git packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-48384");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-46334");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:git");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:git-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:git-help");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perl-Git");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP13");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(13)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP13");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP13", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "git-2.33.0-13.h6.eulerosv2r13",
  "git-core-2.33.0-13.h6.eulerosv2r13",
  "git-help-2.33.0-13.h6.eulerosv2r13",
  "perl-Git-2.33.0-13.h6.eulerosv2r13"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"13", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "git");
}