CVE-2015-7545
Description
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-7545
Vendor advisory: secalert@redhat.com — https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
Vendor advisory: secalert@redhat.com — https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
Vendor advisory: secalert@redhat.com — https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2015-7545.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 1:2.6.1-1 |
| debian | bullseye | fixed | 1:2.6.1-1 |
| debian | forky | fixed | 1:2.6.1-1 |
| debian | sid | fixed | 1:2.6.1-1 |
| debian | trixie | fixed | 1:2.6.1-1 |
| suse | 13.1 | affected | |
| suse | 13.2 | affected | |
| ubuntu | 12.04 | affected | |
| ubuntu | 14.04 | affected | |
| ubuntu | 15.04 | affected | |
| ubuntu | 15.10 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| git_project | git | {"endIncluding":"2.3.9"} | |
| git_project | git | 2.4.0 | |
| git_project | git | 2.4.1 | |
| git_project | git | 2.4.2 | |
| git_project | git | 2.4.3 | |
| git_project | git | 2.4.4 | |
| git_project | git | 2.4.5 | |
| git_project | git | 2.4.6 | |
| git_project | git | 2.4.7 | |
| git_project | git | 2.4.8 | |
| git_project | git | 2.4.9 | |
| git_project | git | 2.5.0 | |
| git_project | git | 2.5.1 | |
| git_project | git | 2.5.2 | |
| git_project | git | 2.5.3 | |
| git_project | git | 2.6.0 | |
| redhat | software_collections | 1.0 | |
References
- https://www.suse.com/security/cve/CVE-2015-7545.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html
- http://rhn.redhat.com/errata/RHSA-2015-2515.html
- http://www.debian.org/security/2016/dsa-3435
- http://www.openwall.com/lists/oss-security/2015/12/08/5
- http://www.openwall.com/lists/oss-security/2015/12/09/8
- http://www.openwall.com/lists/oss-security/2015/12/11/7
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78711
- http://www.securitytracker.com/id/1034501
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255
- http://www.ubuntu.com/usn/USN-2835-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1269794
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt
- https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021
- https://lkml.org/lkml/2015/10/5/683
- https://security.gentoo.org/glsa/201605-01
- https://security-tracker.debian.org/tracker/CVE-2015-7545
CWEs
CWE-20 CWE-284
Verify integrity in audit chain (admin only). AS-IS.