Vulnerability CVE-2019-19604: Information
Description
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: Dec. 11, 2019
Modified: Nov. 7, 2023
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| git | sisyphus | 2.24.1-alt1 | 2.42.2-alt1 | ALT-PU-2019-3258-1 | 242631 | Fixed |
| git | p10 | 2.24.1-alt1 | 2.33.8-alt1 | ALT-PU-2019-3258-1 | 242631 | Fixed |
| git | p9 | 2.24.1-alt1 | 2.25.4-alt1 | ALT-PU-2019-3259-1 | 242632 | Fixed |
| git | p8 | 2.24.1-alt1 | 2.24.1-alt1 | ALT-PU-2019-3276-1 | 242633 | Fixed |
| git | c10f1 | 2.24.1-alt1 | 2.42.1-alt1 | ALT-PU-2019-3258-1 | 242631 | Fixed |
| git | c9f2 | 2.24.1-alt1 | 2.42.1-alt1 | ALT-PU-2019-3259-1 | 242632 | Fixed |
| git | p11 | 2.24.1-alt1 | 2.42.2-alt1 | ALT-PU-2019-3258-1 | 242631 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt |
|
| https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md |
|
| DSA-4581 |
|
| [oss-security] 20191213 Multiple vulnerabilities fixed in Git |
|
| openSUSE-SU-2020:0123 |
|
| GLSA-202003-30 |
|
| openSUSE-SU-2020:0598 |
|
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/ | |
| FEDORA-2019-c841bcc3b9 | |
| FEDORA-2019-1cec196e20 |