This is an autogenerated message for OBS integration:
This bug (948969) was mentioned in
https://build.opensuse.org/request/show/336669 Factory / git

This is an autogenerated message for OBS integration:
This bug (948969) was mentioned in
https://build.opensuse.org/request/show/336685 Factory / cgit

bugbot adjusting priority

Created attachment 651018 [details]
git-1.8.5.6-bsc948969.patch

I backported the commits to the git 1.8.5.6 version used in SLE 12.


> [...]
> Patch8:         git-1.8.5.6-rename-sort_string_list-rename-to-string_list_sort.patch
> Patch9:         git-1.8.5.6-bsc948969.patch
> [...]
> %patch8 -p1
> %patch9 -p1
> # fix non-executable tests: t5810-proto-disable-local.sh t5811-proto-disable-git.sh t5812-proto-disable-http.sh t5813-proto-disable-ssh.sh t5814-proto-disable-ext.sh t5815-submodule-protos.sh
find t/ -type f -name t581?-*proto*.sh -print -exec chmod +x {} \;

Created attachment 651019 [details]
git-1.8.5.6-rename-sort_string_list-rename-to-string_list_sort.patch

patch to make backport work (function rename)

More details from oss-sec

Arbitrary shell command execution from .gitmodules:

Git allows executing arbitrary shell commands using git-remote-ext via a
remote URLs. Normally git never requests URLs that the user doesn't
specifically request, so this is not a serious security concern. However,
submodules did allow the remote repository to specify what URL to clone
from.

If an attacker can instruct a user to run a recursive clone from a
repository they control, they can get a client to run an arbitrary shell
command. Alternately, if an attacker can MITM an unencrypted git clone,
they could exploit this. The ext command will be run if the repository is
recursively cloned or if submodules are updated. This attack works when
cloning both local and remote repositories.

a5adace and 33cfccb fixed this behavior by introducing a whitelist of
allowed protocols for all git submodule operations.


=======================

Following HTTP redirects to unsupported protocols:

A separate issue that was fixed used to allow HTTP redirects to be followed
to any protocol that the underlying libcurl supported. This is the default
behavior of libcurl. However, git should only support a subset of the
protocols that libcurl supports. For example, this allowed a git clone from
an HTTP server to redirect to an SFTP server and successfully run a clone,
a protocol that git otherwise doesn't support at all. Git is only supposed
to support using HTTP, HTTPS, FTP and FTPS with the libcurl-based remotes,
so this was unexpected behavior.

5088d3b and f4113ca fixed this behavior by limiting libcurl-based remotes
to redirect to HTTP, HTTPS, FTP and FTPS, or the protocol whitelist,
whichever is stricter.


=======================


Circular HTTP redirects:

Previously git would follow circular HTTP redirects forever. Potentially
this could be used as a DoS attack if an attacker could trigger an
automated fetch of a git remote.

b258116 fixed this behavior by limiting git to only follow 20 HTTP
redirects.

The issue
"Arbitrary shell command execution from .gitmodules:"
warrants an update.

We can include
"Following HTTP redirects to unsupported protocols"
and 
"Circular HTTP redirects"

The 1.8.5.6 backport is attached, 1.7.12.4 and the openSUSE versions should be doable in the same fashion. Requesting update, let me know if you are having issues with the backport.

This is an autogenerated message for OBS integration:
This bug (948969) was mentioned in
https://build.opensuse.org/request/show/340925 Leap:42.1 / git

I reviewed the backport patch for 1.8.5.6 and found a typo there.  It must be transport_check_allowed("rsync") for the if block corresponding to rsync in transport.c:transport_get().  I refreshed the patch and am testing now...

The backport to old version, even for 1.8.4.5, turned out to be fairly tricky.
For 1.7.x, we need to backport the patches to add more string list helper functions.  Then, adapt the fix patches.

After that, a few codes in transport.c has to be moved to an individual file so that linker won't take all the codes in transport.c at once; otherwise we'll get linker errors.

And, finally, some new unit test codes have to be rewritten because the older git doesn't have -C option yet.  I worked around it by introducing a wrapper in each unit test.

After all, I refreshed the whole patches from the scratch, in addition to a few more workaround patches....

In anyway, the updated packages for SLE11-SP1, SLE12, openSUSE 13.1 and openSUSE 13.2 are ready now.

This is an autogenerated message for OBS integration:
This bug (948969) was mentioned in
https://build.opensuse.org/request/show/342269 13.2 / git
https://build.opensuse.org/request/show/342270 13.1 / git

The fix was submitted to all relevant branches.  Reassigning back to security team for the rest.

Thanks. I don't think cgit fetches submodules?

(In reply to Andreas Stieger from comment #18)
> Thanks. I don't think cgit fetches submodules?

I'm not 100% sure but I don't think so, too.  cgit accesses only the bare git repos, and .gitmodules isn't evaluated there.

openSUSE-SU-2015:1968-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 948969
CVE References: 
Sources used:
openSUSE 13.2 (src):    git-2.1.4-16.2
openSUSE 13.1 (src):    git-1.8.4.5-3.11.2

SUSE-SU-2015:2025-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 948969
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    git-1.8.5.6-14.3
SUSE Linux Enterprise Server 12 (src):    git-1.8.5.6-14.3

SUSE-SU-2015:2184-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 948969
CVE References: 
Sources used:
SUSE Studio Onsite 1.3 (src):    git-1.7.12.4-0.11.2
SUSE OpenStack Cloud 5 (src):    git-1.7.12.4-0.11.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    git-1.7.12.4-0.11.2
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    git-1.7.12.4-0.11.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    git-1.7.12.4-0.11.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    git-1.7.12.4-0.11.2

CVE-2015-7545 was assigned by Kurt Seyfried

With apologies, I can't find the original
http://seclists.org/oss-sec/2015/q4/37 in my mailbox (3+ months old) but
we've now shipped advisories, had several people ask and not gotten a CVE
yet so here it is:

CVE-2015-7545 Git: Some protocols (like git-remote-ext) can execute
arbitrary code found in the URL

The other HTTP redirect/protocol issues don't seem to be security issues
per se (unexpected/annoying yes, but I can't think of any real security
impact).

The updates have gone out without CVE id, but have gone out.

MITRE has accepted this CVE-2015-7545 ID for this vulnerability
disclosed by the upstream vendor in these references:

  https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021
  https://lkml.org/lkml/2015/10/5/683
  https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
  https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
  https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
  https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt

SUSE-SU-2015:2325-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 948969
CVE References: CVE-2015-7545
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    git-1.8.5.6-15.1
SUSE Linux Enterprise Server 12-SP1 (src):    git-1.8.5.6-15.1

openSUSE-SU-2016:0218-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 948969,961916
CVE References: CVE-2016-1899,CVE-2016-1900,CVE-2016-1901
Sources used:
openSUSE 13.1 (src):    cgit-0.12-11.6.1