Bug 20827 - git security vulnerability CVE-2017-8386
Summary: git security vulnerability CVE-2017-8386
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://www.linuxsecurity.com/content/...
Whiteboard: advisory mga5-32-ok mga5-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-11 08:23 CEST by Zombie Ryushu
Modified: 2017-06-04 01:36 CEST (History)
7 users (show)

See Also:
Source RPM: git
CVE:
Status comment:


Attachments

Description Zombie Ryushu 2017-05-11 08:23:17 CEST
Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".
Comment 1 Stig-Ørjan Smelror 2017-05-11 12:09:34 CEST
(In reply to Zombie Ryushu from comment #0)
> Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
> login shell for Git-only SSH access, allows a user to run an interactive
> pager by causing it to spawn "git upload-pack --help".

Is this vulnerability present in the recent 2.13.0?
Comment 2 Marja van Waes 2017-05-11 13:38:51 CEST
(In reply to Stig-Ørjan Smelror from comment #1)
> (In reply to Zombie Ryushu from comment #0)
> > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
> > login shell for Git-only SSH access, allows a user to run an interactive
> > pager by causing it to spawn "git upload-pack --help".
> 
> Is this vulnerability present in the recent 2.13.0?

It got fixed
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.0.txt

Changing component to Security and assigning to the registered maintainer.


(The CVE is still reserved, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 )
Comment 3 Shlomi Fish 2017-05-11 19:54:10 CEST
(In reply to Marja van Waes from comment #2)
> (In reply to Stig-Ørjan Smelror from comment #1)
> > (In reply to Zombie Ryushu from comment #0)
> > > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
> > > login shell for Git-only SSH access, allows a user to run an interactive
> > > pager by causing it to spawn "git upload-pack --help".
> > 
> > Is this vulnerability present in the recent 2.13.0?
> 
> It got fixed
> https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.
> 0.txt
> 
> Changing component to Security and assigning to the registered maintainer.
> 
> 
> (The CVE is still reserved,
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 )

git-2.13.0 was pushed to Cauldron. Can I upgrade it to 2.13.0 on mageia v5 as well?
Comment 4 David Walser 2017-05-13 19:02:57 CEST
Link to the actual Debian advisory from May 10:
https://www.debian.org/security/2017/dsa-3848

They backported a patch, so we may be able to use it for Mageia 5.
Comment 5 Shlomi Fish 2017-05-13 21:06:52 CEST
(In reply to David Walser from comment #4)
> Link to the actual Debian advisory from May 10:
> https://www.debian.org/security/2017/dsa-3848
> 
> They backported a patch, so we may be able to use it for Mageia 5.

Thanks, David!

I built a new git-2.7.4-1.1mga5 package for mageia 5 core/updates_testing. Assigning to QA for testing. We also need to write an advisory.
Comment 6 David Walser 2017-05-13 21:10:39 CEST
Thanks Shlomi!

Advisory:
========================

Updated git packages fix security vulnerability:

Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login
shell for Git-only SSH access, allows a user to run an interactive pager by
causing it to spawn "git upload-pack --help" (CVE-2017-8386).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386
https://www.debian.org/security/2017/dsa-3848
========================

Updated packages in core/updates_testing:
========================
git-2.7.4-1.1.mga5
git-core-2.7.4-1.1.mga5
gitk-2.7.4-1.1.mga5
gitview-2.7.4-1.1.mga5
libgit-devel-2.7.4-1.1.mga5
git-svn-2.7.4-1.1.mga5
git-cvs-2.7.4-1.1.mga5
git-arch-2.7.4-1.1.mga5
git-email-2.7.4-1.1.mga5
perl-Git-2.7.4-1.1.mga5
git-core-oldies-2.7.4-1.1.mga5
gitweb-2.7.4-1.1.mga5
git-prompt-2.7.4-1.1.mga5

from git-2.7.4-1.1.mga5.src.rpm
Comment 7 Brian Rockwell 2017-06-01 15:49:21 CEST
To satisfy dependencies, the following package(s) also need to be installed:

- cvs-1.12.13-25.mga5.i586
- cvsps-2.2b1-6.mga5.i586
- git-arch-2.7.4-1.1.mga5.i586
- git-core-2.7.4-1.1.mga5.i586
- git-core-oldies-2.7.4-1.1.mga5.i586
- git-cvs-2.7.4-1.1.mga5.i586
- git-email-2.7.4-1.1.mga5.i586
- git-prompt-2.7.4-1.1.mga5.i586
- git-svn-2.7.4-1.1.mga5.i586
- gitk-2.7.4-1.1.mga5.i586
- libapr-util1_0-1.5.4-4.mga5.i586
- libapr1_0-1.5.1-3.mga5.i586
- libserf1-1.3.8-1.mga5.i586
- libsvn0-1.8.17-1.mga5.i586
- perl-Authen-SASL-2.160.0-5.mga5.noarch
- perl-Digest-HMAC-1.30.0-6.mga5.noarch
- perl-Digest-SHA1-2.130.0-15.mga5.i586
- perl-Error-0.170.220-4.mga5.noarch
- perl-Git-2.7.4-1.1.mga5.i586
- perl-MIME-Base64-3.140.0-7.mga5.i586
- perl-SVN-1.8.17-1.mga5.i586
- perl-YAML-1.110.0-5.2.mga5.noarch
- subversion-1.8.17-1.mga5.i586
- tk-8.5.15-3.mga5.i586

54MB of additional disk space will be used.


This may be the easiest instructions for git you can have (forgive his language):

http://rogerdudler.github.io/git-guide/

FYI do this in a VM unless you want home under git influence.

$ git init

configure git some

$ git config --global user.name "your name"
$ git config --global user.email "yourEmail@serviceyouuse.com"

Now I'm listing out some files on the VM I can save in git.  I'll pick one.

[brian@localhost Documents (master)]$ ls
git271.odt  openvpn2316.odt

$ git add openvpn2316.odt

[brian@localhost Documents (master)]$ git commit -m "Commit message"[master (root-commit) b1dcabf] Commit message
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 Documents/openvpn2316.odt



Seems to be working as designed.  

I am a git neophyte who has used it on a small cloud project, that's about it.  Developers chime in.
Comment 8 Brian Rockwell 2017-06-03 00:45:12 CEST
$ uname -a
Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 17:56:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

To satisfy dependencies, the following package(s) also need to be installed:

- cvs-1.12.13-25.mga5.x86_64
- cvsps-2.2b1-6.mga5.x86_64
- git-arch-2.7.4-1.1.mga5.x86_64
- git-core-2.7.4-1.1.mga5.x86_64
- git-core-oldies-2.7.4-1.1.mga5.x86_64
- git-cvs-2.7.4-1.1.mga5.x86_64
- git-email-2.7.4-1.1.mga5.x86_64
- git-prompt-2.7.4-1.1.mga5.x86_64
- git-svn-2.7.4-1.1.mga5.x86_64
- gitk-2.7.4-1.1.mga5.x86_64
- lib64serf1-1.3.8-1.mga5.x86_64
- lib64svn0-1.8.17-1.mga5.x86_64
- perl-Authen-SASL-2.160.0-5.mga5.noarch
- perl-Digest-HMAC-1.30.0-6.mga5.noarch
- perl-Digest-SHA1-2.130.0-15.mga5.x86_64
- perl-Error-0.170.220-4.mga5.noarch
- perl-Git-2.7.4-1.1.mga5.x86_64
- perl-MIME-Base64-3.140.0-7.mga5.x86_64
- perl-SVN-1.8.17-1.mga5.x86_64
- perl-YAML-1.110.0-5.2.mga5.noarch
- subversion-1.8.17-1.mga5.x86_64
- tk-8.5.15-3.mga5.x86_64

51MB of additional disk space will be used.


$ git add git27411_backup.odt
$ git commit -m "gitbackup" 
[master (root-commit) 7acde0b] gitbackup
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 Documents/git27411_backup.odt


$ git checkout -b git_doc
D       Documents/git27411_backup.odt
Switched to a new branch 'git_doc'

$ git pull
fatal: No remote repository specified.  Please, specify either a URL or a
remote name from which new revisions should be fetched.

$ git checkout master
D       Documents/git27411_backup.odt
Switched to branch 'master'

$ git checkout – git27411_backup.odt

----updated doc with these changes.

$ git add git27411_backup.odt
$ git commit -m "gitbackup2"
[master 24ff497] gitbackup2
 1 file changed, 0 insertions(+), 0 deletions(-)
 rewrite Documents/git27411_backup.odt (77%)

------------

Working as designed
Comment 9 Lewis Smith 2017-06-03 09:48:07 CEST
@Brian
Thank you for testing this update on both architectures. Am validating.
Comment 10 Mageia Robot 2017-06-04 01:36:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0153.html

Note You need to log in before you can comment on or make changes to this bug.