Mageia: 2019-0393 Moderate: Git Arbitrary Command Execution
mageia
December 15, 2019
The updated packages fix security vulnerabilities: The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=..
Summary
The updated packages fix security vulnerabilities:
The --export-marks option of git fast-import is exposed also via the
in-stream command feature export-marks=... and it allows overwriting
arbitrary paths. (CVE-2019-1348)
When submodules are cloned recursively, under certain circumstances Git
could be fooled into using the same Git directory twice. We now require
the directory to be empty. (CVE-2019-1349)
Recursive clones are currently affected by a vulnerability that is caused
by too-lax validation of submodule names, allowing very targeted attacks
via remote code execution in recursive clones. (CVE-2019-1387)
Arbitrary command execution is possible in Git before before 2.21.1,
because a "git submodule update" operation can run commands found in the
.gitmodules file of a malicious repository. (CVE-2019-19604)
References
- https://bugs.mageia.org/show_bug.cgi?id=25867
- https://www.openwall.com/lists/oss-security/2019/12/13/1
- https://www.cve.org/CVERecord?id=CVE-2019-1348
- https://www.cve.org/CVERecord?id=CVE-2019-1349
- https://www.cve.org/CVERecord?id=CVE-2019-1387
- https://www.cve.org/CVERecord?id=CVE-2019-19604
Topics Covered
Resolution
SRPMS
- 7/core/git-2.21.1-1.mga7
PREVIOUS
NEXT
Publication date: 15 Dec 2019
URL: https://advisories.mageia.org/MGASA-2019-0393.html
Type: security
CVE: CVE-2019-1348,
CVE-2019-1349,
CVE-2019-1387,
CVE-2019-19604
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!