The version of git installed on the remote host is prior to 2.30.6 / 2.35.5 / 2.38.1. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2022-291-01 advisory.
When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory. Additionally, the value of `protocol.file.allow` is changed to be user by default. An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size.
split_cmdline()
is hardened to reject inputs larger than 2GiB. (CVE-2022-39253, CVE-2022-39260)Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
#
# The descriptive text and package checks in this plugin were
# extracted from Slackware Security Advisory SSA:2022-291-01. The text
# itself is copyright (C) Slackware Linux, Inc.
##
include('compat.inc');
if (description)
{
script_id(166228);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/11/29");
script_cve_id("CVE-2022-39253", "CVE-2022-39260");
script_name(english:"Slackware Linux 14.0 / 14.1 / 14.2 / 15.0 / current git Multiple Vulnerabilities (SSA:2022-291-01)");
script_set_attribute(attribute:"synopsis", value:
"The remote Slackware Linux host is missing a security update to git.");
script_set_attribute(attribute:"description", value:
"The version of git installed on the remote host is prior to 2.30.6 / 2.35.5 / 2.38.1. It is, therefore, affected by
multiple vulnerabilities as referenced in the SSA:2022-291-01 advisory.
- When relying on the `--local` clone optimization, Git dereferences symbolic links
in the source repository before creating hardlinks (or copies) of the dereferenced link in the
destination repository. This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git
will no longer dereference symbolic links via the `--local` clone mechanism, and will instead
refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects`
directory. Additionally, the value of `protocol.file.allow` is changed to be user
by default. An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when
`git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git
shell` is taught to refuse interactive commands that are longer than 4MiB in size.
`split_cmdline()` is hardened to reject inputs larger than 2GiB. (CVE-2022-39253,
CVE-2022-39260)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"solution", value:
"Upgrade the affected git package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39260");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/18");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:git");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:15.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Slackware Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
exit(0);
}
include("slackware.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
var flag = 0;
var constraints = [
{ 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.0', 'service_pack' : '1_slack14.0', 'arch' : 'i486' },
{ 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.0', 'service_pack' : '1_slack14.0', 'arch' : 'x86_64' },
{ 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.1', 'service_pack' : '1_slack14.1', 'arch' : 'i486' },
{ 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.1', 'service_pack' : '1_slack14.1', 'arch' : 'x86_64' },
{ 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.2', 'service_pack' : '1_slack14.2', 'arch' : 'i586' },
{ 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.2', 'service_pack' : '1_slack14.2', 'arch' : 'x86_64' },
{ 'fixed_version' : '2.35.5', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '1_slack15.0', 'arch' : 'i586' },
{ 'fixed_version' : '2.35.5', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '1_slack15.0', 'arch' : 'x86_64' },
{ 'fixed_version' : '2.38.1', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'i586' },
{ 'fixed_version' : '2.38.1', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'x86_64' }
];
foreach constraint (constraints) {
var pkg_arch = constraint['arch'];
var arch = NULL;
if (pkg_arch == "x86_64") {
arch = pkg_arch;
}
if (slackware_check(osver:constraint['os_version'],
arch:arch,
pkgname:constraint['product'],
pkgver:constraint['fixed_version'],
pkgarch:pkg_arch,
pkgnum:constraint['service_pack'])) flag++;
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : slackware_report_get()
);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
slackware | slackware_linux | cpe:/o:slackware:slackware_linux | |
slackware | slackware_linux | 14.0 | cpe:/o:slackware:slackware_linux:14.0 |
slackware | slackware_linux | 14.1 | cpe:/o:slackware:slackware_linux:14.1 |
slackware | slackware_linux | 14.2 | cpe:/o:slackware:slackware_linux:14.2 |
slackware | slackware_linux | 15.0 | cpe:/o:slackware:slackware_linux:15.0 |
slackware | slackware_linux | git | p-cpe:/a:slackware:slackware_linux:git |