Bug 1178459 (CVE-2020-27955) - VUL-0: CVE-2020-27955: git-lfs: Remote Code Execution on Windows
Summary: VUL-0: CVE-2020-27955: git-lfs: Remote Code Execution on Windows
Status: RESOLVED INVALID
Alias: CVE-2020-27955
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.2
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Adrien Plazas
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/270847/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-05 08:57 UTC by Alexandros Toptsoglou
Modified: 2020-11-05 09:00 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-11-05 08:57:29 UTC 
CVE-2020-27955

On Windows, if Git LFS operates on a malicious repository with a git.bat or
git.exe file in the current directory, that program is executed, permitting the
attacker to execute arbitrary code.  This security problem does not affect Unix
systems.

This occurs because on Windows, Go includes (and prefers) the current directory
when the name of a command run does not contain a directory separator.  This has
been solved by always using PATH to pre-resolve paths before handing them to Go.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27955
http://seclists.org/oss-sec/2020/q4/98
https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html
https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html
Comment 1 Alexandros Toptsoglou 2020-11-05 09:00:05 UTC 
There is already a fixed version which fixes this issue, that is 2.12.1. Anyway this is a Windows only issue, closing.