Operating System:

[Debian]

Published:

11 December 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.4599 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4599
                            git security update
                             11 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           git
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Overwrite Arbitrary Files       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-19604 CVE-2019-1387 CVE-2019-1353
                   CVE-2019-1352 CVE-2019-1349 CVE-2019-1348

Reference:         ESB-2019.4211
                   ESB-2019.3242

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4581

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4581-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 10, 2019                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353
                 CVE-2019-1387 CVE-2019-19604

Several vulnerabilities have been discovered in git, a fast, scalable,
distributed revision control system.

CVE-2019-1348

    It was reported that the --export-marks option of git fast-import is
    exposed also via the in-stream command feature export-marks=...,
    allowing to overwrite arbitrary paths.

CVE-2019-1387

    It was discovered that submodule names are not validated strictly
    enough, allowing very targeted attacks via remote code execution
    when performing recursive clones.

CVE-2019-19604

    Joern Schneeweisz reported a vulnerability, where a recursive clone
    followed by a submodule update could execute code contained within
    the repository without the user explicitly having asked for that. It
    is now disallowed for `.gitmodules` to have entries that set
    `submodule.<name>.update=!command`.

In addition this update addresses a number of security issues which are
only an issue if git is operating on an NTFS filesystem (CVE-2019-1349,
CVE-2019-1352 and CVE-2019-1353).

For the oldstable distribution (stretch), these problems have been fixed
in version 1:2.11.0-3+deb9u5.

For the stable distribution (buster), these problems have been fixed in
version 1:2.20.1-2+deb10u1.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3v+DpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TR6Q/+IWXXUuRm25//+lK49cbuK/+FeJeflX+6jGM6xoCjolI5PytqxycP45xm
rYhJfinm4slwb02m6i3nBlWQ1UQrIrJMqx0jYLIsPQy49vKyBrXXG10yTQXY0W6O
Cu4UJyt0+vHciE6nCgJTqcHYfEAP8JcuTyVCd//mkKGN3XCWKllc31bTjzWq1OzI
ssmZKJhx38uK2M+PyCIIiTHsZioW07j+Z80KbIBjExLRZx+5tggs46F/Az35hyQX
Ff39tEPJm3Wx+9YkNBi7IIaRUQeYD8lcUfQydaVGT8qyR4uaAoztU9vWMDKGcMXd
paZWr2OHu7q06QrTfbiZ1dnTaC5F88atgu7oy9689+MZjwyMCUCo6rloRCwDA+Sq
EZaJYIeFeRM9G04FEwcvAwWiYaYFMbFM2rTh+dKccJArxm3eIvqlyQE+zuqbUkeh
AMFKHDJknG3ilnlUZHG5PLWYMUnHRaIzTWEicppwe7RnbtrlMTPFCaVCXW90y2+5
lZAQYeGBh18CF7O5K2OJSFtcypx2Viu6hIARSdzwNsiF5im0iusOYk17XjrbEs3q
Bvqf299HRYtzbhKG60BSxgUbFZi5rjMbVKOf5TYc0dGYmT2K1tkIMOkXDXRozjC0
qX4sPRldX+QZAtjJnpDvqmUNwXCpggfGlQFk2Dofph1a/kahwsY=
=mFpS
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfAhBGaOgq3Tt24GAQgVFBAAxZzyggZ10o7f5DPRlVrx4pskRs0ndM1F
fUinFi3yTb4NNB85lrQ9wE4gI3UJz/y/6ZEyseVvHlz5e8uKzq0aBkpuMKDuEx4z
5nYQFp0vhaDHjWEIy0iK0FyWh5GDKKRLfH7iwdbbCK9D3Wir4JNXGMsm3zAMxmE9
Wwg/bDTYfGijx1gwMIj+rGkfpK4eP0zMT5qT3OwFD7E4+sktwrVRn5JYsOaANJq0
sRLCFgea/j1jGl471XApZ3zKfNLblree2mDhJxbsFUQA9wJ4jirDFEEXxUPf8/JC
+NWsAPedazyenI2WQgWBVAo/vHqHEq+5sDw79S7/LXAkLuRQ8D1ejOgdbccTNvuF
HOy/cTycNrWSO6218aAb1g7WsbfbxEp/9XN+0ashPGhWpzYUrCNZiBg1IU8OJXe4
ZUAtbU0YqhErE1Ff0IDTFJErZ1Z9OjP7SnqeBxxJdWXCn2KZqUq0qVomooVS9bLc
JvOL0vb0TqjUZ1MMqf5MHlRnRZwCJWDocQt3eCoxixBlghJAnMx5ZCOf6aOmBks9
V8MB/0QUE5uwo+soLCrbc06ykWMaSCjoRuzPQJGUIp/RNj+W6ttKIaNEVrs18ABh
c8Vt7CXLn0hBzdmGEOkYmNi/qwYMSMWpV5fVfd2p7FQeBW4U9dndH6SWNOwpSJMt
k2mgV5V+RwI=
=Ci+5
-----END PGP SIGNATURE-----