Lucene search

HistoryOct 18, 2022 - 12:00 a.m.

Slackware Linux 14.0 / 14.1 / 14.2 / 15.0 / current git Multiple Vulnerabilities (SSA:2022-291-01)

2022-10-1800:00:00

www.tenable.com

The version of git installed on the remote host is prior to 2.30.6 / 2.35.5 / 2.38.1. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2022-291-01 advisory.

         When relying on the `--local` clone optimization, Git dereferences            symbolic links     in the source repository before creating hardlinks            (or copies) of the dereferenced link in the     destination repository.            This can lead to surprising behavior where arbitrary files are     present in a repository's `$GIT_DIR` when cloning from a malicious            repository.             Git     will no longer dereference symbolic links via the `--local`            clone mechanism, and will instead     refuse to clone repositories that            have symbolic links present in the `$GIT_DIR/objects`     directory.             Additionally, the value of `protocol.file.allow` is changed to be            user     by default.                        An overly-long command string given to `git shell` can result in     overflow in `split_cmdline()`, leading to arbitrary heap writes and            remote code execution when     `git shell` is exposed and the directory            `$HOME/git-shell-commands` exists.             `git     shell` is taught to refuse interactive commands that are            longer than 4MiB in size.

split_cmdline() is hardened to reject inputs larger than 2GiB. (CVE-2022-39253, CVE-2022-39260)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
#
# The descriptive text and package checks in this plugin were
# extracted from Slackware Security Advisory SSA:2022-291-01. The text
# itself is copyright (C) Slackware Linux, Inc.
##

include('compat.inc');

if (description)
{
  script_id(166228);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/11/29");

  script_cve_id("CVE-2022-39253", "CVE-2022-39260");

  script_name(english:"Slackware Linux 14.0 / 14.1 / 14.2 / 15.0 / current git  Multiple Vulnerabilities (SSA:2022-291-01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Slackware Linux host is missing a security update to git.");
  script_set_attribute(attribute:"description", value:
"The version of git installed on the remote host is prior to 2.30.6 / 2.35.5 / 2.38.1. It is, therefore, affected by
multiple vulnerabilities as referenced in the SSA:2022-291-01 advisory.

  -              When relying on the `--local` clone optimization, Git dereferences            symbolic links
    in the source repository before creating hardlinks            (or copies) of the dereferenced link in the
    destination repository.            This can lead to surprising behavior where arbitrary files are
    present in a repository's `$GIT_DIR` when cloning from a malicious            repository.             Git
    will no longer dereference symbolic links via the `--local`            clone mechanism, and will instead
    refuse to clone repositories that            have symbolic links present in the `$GIT_DIR/objects`
    directory.             Additionally, the value of `protocol.file.allow` is changed to be            user
    by default.                        An overly-long command string given to `git shell` can result in
    overflow in `split_cmdline()`, leading to arbitrary heap writes and            remote code execution when
    `git shell` is exposed and the directory            `$HOME/git-shell-commands` exists.             `git
    shell` is taught to refuse interactive commands that are            longer than 4MiB in size.
    `split_cmdline()` is hardened to reject            inputs larger than 2GiB.            (CVE-2022-39253,
    CVE-2022-39260)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"solution", value:
"Upgrade the affected git package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39260");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:git");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:15.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Slackware Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");

  exit(0);
}

include("slackware.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);

var flag = 0;
var constraints = [
    { 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.0', 'service_pack' : '1_slack14.0', 'arch' : 'i486' },
    { 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.0', 'service_pack' : '1_slack14.0', 'arch' : 'x86_64' },
    { 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.1', 'service_pack' : '1_slack14.1', 'arch' : 'i486' },
    { 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.1', 'service_pack' : '1_slack14.1', 'arch' : 'x86_64' },
    { 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.2', 'service_pack' : '1_slack14.2', 'arch' : 'i586' },
    { 'fixed_version' : '2.30.6', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '14.2', 'service_pack' : '1_slack14.2', 'arch' : 'x86_64' },
    { 'fixed_version' : '2.35.5', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '1_slack15.0', 'arch' : 'i586' },
    { 'fixed_version' : '2.35.5', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '1_slack15.0', 'arch' : 'x86_64' },
    { 'fixed_version' : '2.38.1', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'i586' },
    { 'fixed_version' : '2.38.1', 'product' : 'git', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'x86_64' }
];

foreach constraint (constraints) {
    var pkg_arch = constraint['arch'];
    var arch = NULL;
    if (pkg_arch == "x86_64") {
        arch = pkg_arch;
    }
    if (slackware_check(osver:constraint['os_version'],
                        arch:arch,
                        pkgname:constraint['product'],
                        pkgver:constraint['fixed_version'],
                        pkgarch:pkg_arch,
                        pkgnum:constraint['service_pack'])) flag++;
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : slackware_report_get()
  );
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
slackwareslackware_linuxcpe:/o:slackware:slackware_linux
slackwareslackware_linux14.0cpe:/o:slackware:slackware_linux:14.0
slackwareslackware_linux14.1cpe:/o:slackware:slackware_linux:14.1
slackwareslackware_linux14.2cpe:/o:slackware:slackware_linux:14.2
slackwareslackware_linux15.0cpe:/o:slackware:slackware_linux:15.0
slackwareslackware_linuxgitp-cpe:/a:slackware:slackware_linux:git

Vendor	Product	Version	CPE
slackware	slackware_linux		cpe:/o:slackware:slackware_linux
slackware	slackware_linux	14.0	cpe:/o:slackware:slackware_linux:14.0
slackware	slackware_linux	14.1	cpe:/o:slackware:slackware_linux:14.1
slackware	slackware_linux	14.2	cpe:/o:slackware:slackware_linux:14.2
slackware	slackware_linux	15.0	cpe:/o:slackware:slackware_linux:15.0
slackware	slackware_linux	git	p-cpe:/a:slackware:slackware_linux:git

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260

JSON

Related for SLACKWARE_SSA_2022-291-01.NASL