Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                SUSE-SU-2020:1121-1 Security update for git
                               29 April 2020


        AusCERT Security Bulletin Summary

Product:           git
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Overwrite Arbitrary Files       -- Existing Account            
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11008 CVE-2020-5260 CVE-2019-19604
                   CVE-2019-1387 CVE-2019-1354 CVE-2019-1353
                   CVE-2019-1352 CVE-2019-1351 CVE-2019-1350
                   CVE-2019-1349 CVE-2019-1348 CVE-2018-17456
                   CVE-2018-11235 CVE-2018-11233 CVE-2017-15298

Reference:         ESB-2020.1330

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for git


Announcement ID:   SUSE-SU-2020:1121-1
Rating:            moderate
References:        #1063412 #1095218 #1095219 #1110949 #1112230 #1114225
                   #1132350 #1149792 #1156651 #1158785 #1158787 #1158788
                   #1158789 #1158790 #1158791 #1158792 #1158793 #1158795
                   #1167890 #1168930 #1169605 #1169786 #1169936
Cross-References:  CVE-2017-15298 CVE-2018-11233 CVE-2018-11235 CVE-2018-17456
                   CVE-2019-1348 CVE-2019-1349 CVE-2019-1350 CVE-2019-1351
                   CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387
                   CVE-2019-19604 CVE-2020-11008 CVE-2020-5260
Affected Products:
                   SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
                   SUSE Linux Enterprise Module for Development Tools 15-SP1
                   SUSE Linux Enterprise Module for Basesystem 15-SP1

An update that solves 15 vulnerabilities and has 8 fixes is now available.


This update for git fixes the following issues:
Security issues fixed:

  o CVE-2020-11008: Specially crafted URLs may have tricked the credentials
    helper to providing credential information that is not appropriate for the
    protocol in use and host being contacted (bsc#1169936)

git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792)

  o Fix git-daemon not starting after conversion from sysvinit to systemd
    service (bsc#1169605).

  o CVE-2020-5260: Specially crafted URLs with newline characters could have
    been used to make the Git client to send credential information for a wrong
    host to the attacker's site bsc#1168930

git 2.26.0 (bsc#1167890, jsc#SLE-11608):

  o "git rebase" now uses a different backend that is based on the 'merge'
    machinery by default. The 'rebase.backend' configuration variable reverts
    to old behaviour when set to 'apply'
  o Improved handling of sparse checkouts
  o Improvements to many commands and internal features

git 2.25.2:

  o bug fixes to various subcommands in specific operations

git 2.25.1:

  o "git commit" now honors advise.statusHints
  o various updates, bug fixes and documentation updates

git 2.25.0

  o The branch description ("git branch --edit-description") has been used to
    fill the body of the cover letters by the format-patch command; this has
    been enhanced so that the subject can also be filled.
  o A few commands learned to take the pathspec from the standard input or a
    named file, instead of taking it as the command line arguments, with the
    "--pathspec-from-file" option.
  o Test updates to prepare for SHA-2 transition continues.
  o Redo "git name-rev" to avoid recursive calls.
  o When all files from some subdirectory were renamed to the root directory,
    the directory rename heuristics would fail to detect that as a rename/merge
    of the subdirectory to the root directory, which has been corrected.
  o HTTP transport had possible allocator/deallocator mismatch, which has been

git 2.24.1:

  o CVE-2019-1348: The --export-marks option of fast-import is exposed also via
    the in-stream command feature export-marks=... and it allows overwriting
    arbitrary paths (bsc#1158785)
  o CVE-2019-1349: on Windows, when submodules are cloned recursively, under
    certain circumstances Git could be fooled into using the same Git directory
    twice (bsc#1158787)
  o CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote
    code execution during a recursive clone in conjunction with SSH URLs (bsc#
  o CVE-2019-1351: on Windows mistakes drive letters outside of the US-English
    alphabet as relative paths (bsc#1158789)
  o CVE-2019-1352: on Windows was unaware of NTFS Alternate Data Streams (bsc#
  o CVE-2019-1353: when run in the Windows Subsystem for Linux while accessing
    a working directory on a regular Windows drive, none of the NTFS
    protections were active (bsc#1158791)
  o CVE-2019-1354: on Windows refuses to write tracked files with filenames
    that contain backslashes (bsc#1158792)
  o CVE-2019-1387: Recursive clones vulnerability that is caused by too-lax
    validation of submodule names, allowing very targeted attacks via remote
    code execution in recursive clones (bsc#1158793)
  o CVE-2019-19604: a recursive clone followed by a submodule update could
    execute code contained within the repository without the user explicitly
    having asked for that (bsc#1158795)

git 2.24.0

  o The command line parser learned "--end-of-options" notation.
  o A mechanism to affect the default setting for a (related) group of
    configuration variables is introduced.
  o "git fetch" learned "--set-upstream" option to help those who first clone
    from their private fork they intend to push to, add the true upstream via
    "git remote add" and then "git fetch" from it.
  o fixes and improvements to UI, workflow and features, bash completion fixes

git 2.23.0:

  o The "--base" option of "format-patch" computed the patch-ids for
    prerequisite patches in an unstable way, which has been updated to compute
    in a way that is compatible with "git patch-id --stable".
  o The "git log" command by default behaves as if the --mailmap option was
  o fixes and improvements to UI, workflow and features

git 2.22.1

  o A relative pathname given to "git init --template= " ought to be relative
    to the directory "git init" gets invoked in, but it instead was made
    relative to the repository, which has been corrected.
  o "git worktree add" used to fail when another worktree connected to the same
    repository was corrupt, which has been corrected.
  o "git am -i --resolved" segfaulted after trying to see a commit as if it
    were a tree, which has been corrected.
  o "git merge --squash" is designed to update the working tree and the index
    without creating the commit, and this cannot be countermanded by adding the
    "--commit" option; the command now refuses to work when both options are
  o Update to Unicode 12.1 width table.
  o "git request-pull" learned to warn when the ref we ask them to pull from in
    the local repository and in the published repository are different.
  o "git fetch" into a lazy clone forgot to fetch base objects that are
    necessary to complete delta in a thin packfile, which has been corrected.
  o The URL decoding code has been updated to avoid going past the end of the
    string while parsing %- - sequence.
  o "git clean" silently skipped a path when it cannot lstat() it; now it gives
    a warning.
  o "git rm" to resolve a conflicted path leaked an internal message "needs
    merge" before actually removing the path, which was confusing. This has
    been corrected.
  o Many more bugfixes and code cleanups.

  o removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by

  o partial fix for git instaweb giving 500 error (bsc#1112230)

git 2.22.0

  o The filter specification "--filter=sparse:path= " used to create a lazy/
    partial clone has been removed. Using a blob that is part of the project as
    sparse specification is still supported with the "--filter=sparse:oid= "
  o "git checkout --no-overlay" can be used to trigger a new mode of checking
    out paths out of the tree-ish, that allows paths that match the pathspec
    that are in the current index and working tree and are not in the tree-ish.
  o Four new configuration variables {author,committer}.{name,email} have been
    introduced to override user.{name,email} in more specific cases.
  o "git branch" learned a new subcommand "--show-current".
  o The command line completion (in contrib/) has been taught to complete more
    subcommand parameters.
  o The completion helper code now pays attention to repository-local
    configuration (when available), which allows --list-cmds to honour a
    repository specific setting of completion.commands, for example.
  o The list of conflicted paths shown in the editor while concluding a
    conflicted merge was shown above the scissors line when the clean-up mode
    is set to "scissors", even though it was commented out just like the list
    of updated paths and other information to help the user explain the merge
  o "git rebase" that was reimplemented in C did not set ORIG_HEAD correctly,
    which has been corrected.
  o "git worktree add" used to do a "find an available name with stat and then
    mkdir", which is race-prone. This has been fixed by using mkdir and
    reacting to EEXIST in a loop.

  o Move to DocBook 5.x. Asciidoctor 2.x no longer supports the legacy DocBook
    4.5 format.

  o update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)

git 2.21.0

  o Historically, the "-m" (mainline) option can only be used for "git
    cherry-pick" and "git revert" when working with a merge commit. This
    version of Git no longer warns or errors out when working with a
    single-parent commit, as long as the argument to the "-m" option is 1 (i.e.
    it has only one parent, and the request is to pick or revert relative to
    that first parent). Scripts that relied on the behaviour may get broken
    with this change.
  o Small fixes and features for fast-export and fast-import.
  o The "http.version" configuration variable can be used with recent enough
    versions of cURL library to force the version of HTTP used to talk when
    fetching and pushing.
  o "git push $there $src:$dst" rejects when $dst is not a fully qualified
    refname and it is not clear what the end user meant.
  o Update "git multimail" from the upstream.
  o A new date format "--date=human" that morphs its output depending on how
    far the time is from the current time has been introduced. "--date=
    auto:human" can be used to use this new format (or any existing format)
    when the output is going to the pager or to the terminal, and otherwise the
    default format.

  o Fix worktree creation race (bsc#1114225).
  o add shadow build dependency to the -daemon subpackage.

git 2.20.1:

  o portability fixes
  o "git help -a" did not work well when an overly long alias was defined
  o no longer squelched an error message when the run_command API failed to run
    a missing command

git 2.20.0

  o "git help -a" now gives verbose output (same as "git help -av"). Those who
    want the old output may say "git help --no-verbose -a"..
  o "git send-email" learned to grab address-looking string on any trailer
    whose name ends with "-by".
  o "git format-patch" learned new "--interdiff" and "--range-diff" options to
    explain the difference between this version and the previous attempt in the
    cover letter (or after the three-dashes as a comment).
  o Developer builds now use -Wunused-function compilation option.
  o Fix a bug in which the same path could be registered under multiple
    worktree entries if the path was missing (for instance, was removed
    manually). Also, as a convenience, expand the number of cases in which
    --force is applicable.
  o The overly large Documentation/config.txt file have been split into million
    little pieces. This potentially allows each individual piece to be included
    into the manual page of the command it affects more easily.
  o Malformed or crafted data in packstream can make our code attempt to read
    or write past the allocated buffer and abort, instead of reporting an
    error, which has been fixed.
  o Fix for a long-standing bug that leaves the index file corrupt when it
    shrinks during a partial commit.
  o "git merge" and "git pull" that merges into an unborn branch used to
    completely ignore "--verify-signatures", which has been corrected.
  o ...and much more features and fixes

git 2.19.2:

  o various bug fixes for multiple subcommands and operations

git 2.19.1:

  o CVE-2018-17456: Specially crafted .gitmodules files may have allowed
    arbitrary code execution when the repository is cloned with
    --recurse-submodules (bsc#1110949)

git 2.19.0:

  o "git diff" compares the index and the working tree. For paths added with
    intent-to-add bit, the command shows the full contents of them as added,
    but the paths themselves were not marked as new files. They are now shown
    as new by default.
  o "git apply" learned the "--intent-to-add" option so that an otherwise
    working-tree-only application of a patch will add new paths to the index
    marked with the "intent-to-add" bit.
  o "git grep" learned the "--column" option that gives not just the line
    number but the column number of the hit.
  o The "-l" option in "git branch -l" is an unfortunate short-hand for
    "--create-reflog", but many users, both old and new, somehow expect it to
    be something else, perhaps "--list". This step warns when "-l" is used as a
    short-hand for "--create-reflog" and warns about the future repurposing of
    the it when it is used.
  o The userdiff pattern for .php has been updated.
  o The content-transfer-encoding of the message "git send-email" sends out by
    default was 8bit, which can cause trouble when there is an overlong line to
    bust RFC 5322/2822 limit. A new option 'auto' to automatically switch to
    quoted-printable when there is such a line in the payload has been
    introduced and is made the default.
  o "git checkout" and "git worktree add" learned to honor
    checkout.defaultRemote when auto-vivifying a local branch out of a remote
    tracking branch in a repository with multiple remotes that have tracking
    branches that share the same names. (merge 8d7b558bae ab/
    checkout-default-remote later to maint).
  o "git grep" learned the "--only-matching" option.
  o "git rebase --rebase-merges" mode now handles octopus merges as well.
  o Add a server-side knob to skip commits in exponential/fibbonacci stride in
    an attempt to cover wider swath of history with a smaller number of
    iterations, potentially accepting a larger packfile transfer, instead of
    going back one commit a time during common ancestor discovery during the
    "git fetch" transaction. (merge 42cc7485a2 jt/fetch-negotiator-skipping
    later to maint).
  o A new configuration variable core.usereplacerefs has been added, primarily
    to help server installations that want to ignore the replace mechanism
  o Teach "git tag -s" etc. a few configuration variables (gpg.format that can
    be set to "openpgp" or "x509", and gpg. .program that is used to specify
    what program to use to deal with the format) to allow x.509 certs with CMS
    via "gpgsm" to be used instead of openpgp via "gnupg".
  o Many more strings are prepared for l10n.
  o "git p4 submit" learns to ask its own pre-submit hook if it should continue
    with submitting.
  o The test performed at the receiving end of "git push" to prevent bad
    objects from entering repository can be customized via receive.fsck.*
    configuration variables; we now have gained a counterpart to do the same on
    the "git fetch" side, with fetch.fsck.* configuration variables.
  o "git pull --rebase=interactive" learned "i" as a short-hand for
  o "git instaweb" has been adjusted to run better with newer Apache on RedHat
    based distros.
  o "git range-diff" is a reimplementation of "git tbdiff" that lets us compare
    individual patches in two iterations of a topic.
  o The sideband code learned to optionally paint selected keywords at the
    beginning of incoming lines on the receiving end.
  o "git branch --list" learned to take the default sort order from the
    'branch.sort' configuration variable, just like "git tag --list" pays
    attention to 'tag.sort'.
  o "git worktree" command learned "--quiet" option to make it less verbose.

git 2.18.0:

  o improvements to rename detection logic
  o When built with more recent cURL, GIT_SSL_VERSION can now specify "tlsv1.3"
    as its value.
  o "git mergetools" learned talking to guiffy.
  o various other workflow improvements and fixes
  o performance improvements and other developer visible fixes

git 2.17.1

  o Submodule "names" come from the untrusted .gitmodules file, but we blindly
    append them to $GIT_DIR/modules to create our on-disk repo paths. This
    means you can do bad things by putting "../" into the name. We now enforce
    some rules for submodule names which will cause Git to ignore these
    malicious names (CVE-2018-11235, bsc#1095219)
  o It was possible to trick the code that sanity-checks paths on NTFS into
    reading random piece of memory (CVE-2018-11233, bsc#1095218)
  o Support on the server side to reject pushes to repositories that attempt to
    create such problematic .gitmodules file etc. as tracked contents, to help
    hosting sites protect their customers by preventing malicious contents from

git 2.17.0:

  o "diff" family of commands learned "--find-object= " option to limit the
    findings to changes that involve the named object.
  o "git format-patch" learned to give 72-cols to diffstat, which is consistent
    with other line length limits the subcommand uses for its output meant for
  o The log from "git daemon" can be redirected with a new option; one relevant
    use case is to send the log to standard error (instead of syslog) when
    running it from inetd.
  o "git rebase" learned to take "--allow-empty-message" option.
  o "git am" has learned the "--quit" option, in addition to the existing
    "--abort" option; having the pair mirrors a few other commands like
    "rebase" and "cherry-pick".
  o "git worktree add" learned to run the post-checkout hook, just like "git
    clone" runs it upon the initial checkout.
  o "git tag" learned an explicit "--edit" option that allows the message given
    via "-m" and "-F" to be further edited.
  o "git fetch --prune-tags" may be used as a handy short-hand for getting rid
    of stale tags that are locally held.
  o The new "--show-current-patch" option gives an end-user facing way to get
    the diff being applied when "git rebase" (and "git am") stops with a
  o "git add -p" used to offer "/" (look for a matching hunk) as a choice, even
    there was only one hunk, which has been corrected. Also the single-key help
    is now given only for keys that are enabled (e.g. help for '/' won't be
    shown when there is only one hunk).
  o Since Git 1.7.9, "git merge" defaulted to --no-ff (i.e. even when the side
    branch being merged is a descendant of the current commit, create a merge
    commit instead of fast-forwarding) when merging a tag object. This was
    appropriate default for integrators who pull signed tags from their
    downstream contributors, but caused an unnecessary merges when used by
    downstream contributors who habitually "catch up" their topic branches with
    tagged releases from the upstream. Update "git merge" to default to --no-ff
    only when merging a tag object that does *not* sit at its usual place in
    refs/tags/ hierarchy, and allow fast-forwarding otherwise, to mitigate the
  o "git status" can spend a lot of cycles to compute the relation between the
    current branch and its upstream, which can now be disabled with
    "--no-ahead-behind" option.
  o "git diff" and friends learned funcname patterns for Go language source
  o "git send-email" learned "--reply-to=
    " option.
  o Funcname pattern used for C# now recognizes "async" keyword.
  o In a way similar to how "git tag" learned to honor the pager setting only
    in the list mode, "git config" learned to ignore the pager setting when it
    is used for setting values (i.e. when the purpose of the operation is not
    to "show").

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Open Buildservice Development Tools
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1121=1
  o SUSE Linux Enterprise Module for Development Tools 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1121=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1121=1

Package List:

  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
    (aarch64 ppc64le s390x x86_64):
  o SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le
    s390x x86_64):
  o SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch):
  o SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x


  o https://www.suse.com/security/cve/CVE-2017-15298.html
  o https://www.suse.com/security/cve/CVE-2018-11233.html
  o https://www.suse.com/security/cve/CVE-2018-11235.html
  o https://www.suse.com/security/cve/CVE-2018-17456.html
  o https://www.suse.com/security/cve/CVE-2019-1348.html
  o https://www.suse.com/security/cve/CVE-2019-1349.html
  o https://www.suse.com/security/cve/CVE-2019-1350.html
  o https://www.suse.com/security/cve/CVE-2019-1351.html
  o https://www.suse.com/security/cve/CVE-2019-1352.html
  o https://www.suse.com/security/cve/CVE-2019-1353.html
  o https://www.suse.com/security/cve/CVE-2019-1354.html
  o https://www.suse.com/security/cve/CVE-2019-1387.html
  o https://www.suse.com/security/cve/CVE-2019-19604.html
  o https://www.suse.com/security/cve/CVE-2020-11008.html
  o https://www.suse.com/security/cve/CVE-2020-5260.html
  o https://bugzilla.suse.com/1063412
  o https://bugzilla.suse.com/1095218
  o https://bugzilla.suse.com/1095219
  o https://bugzilla.suse.com/1110949
  o https://bugzilla.suse.com/1112230
  o https://bugzilla.suse.com/1114225
  o https://bugzilla.suse.com/1132350
  o https://bugzilla.suse.com/1149792
  o https://bugzilla.suse.com/1156651
  o https://bugzilla.suse.com/1158785
  o https://bugzilla.suse.com/1158787
  o https://bugzilla.suse.com/1158788
  o https://bugzilla.suse.com/1158789
  o https://bugzilla.suse.com/1158790
  o https://bugzilla.suse.com/1158791
  o https://bugzilla.suse.com/1158792
  o https://bugzilla.suse.com/1158793
  o https://bugzilla.suse.com/1158795
  o https://bugzilla.suse.com/1167890
  o https://bugzilla.suse.com/1168930
  o https://bugzilla.suse.com/1169605
  o https://bugzilla.suse.com/1169786
  o https://bugzilla.suse.com/1169936

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967