[Bug 1993586] Re: Cannot add submodule using file transport
Edward Vielmetti
1993586 at bugs.launchpad.net
Thu Oct 20 15:32:16 UTC 2022
>From the description, this looks like fallout from CVE-2022-39253
https://github.blog/2022-10-18-git-security-vulnerabilities-
announced/#cve-2022-39253
associated with the release of git 2.38.1 and the back port of the associated patch
to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4.
https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@gitster.g/
>From the Github blog:
"This vulnerability can be used to break security boundaries, by
injecting sensitive content into a malicious Docker container, for
example. This attack relies on the existence of a symbolic link inside
of a repository’s $GIT_DIR/objects directory, meaning that you must
either clone a malicious repository locally, or clone a malicious
repository packaged as a local submodule inside of another repository."
Thanks to jpetazzo for the alert at
https://twitter.com/jpetazzo/status/1583112279012257797
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-39253
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1993586
Title:
Cannot add submodule using file transport
Status in git package in Ubuntu:
Confirmed
Bug description:
On ubuntu 22.04, somewhere between git=1:2.34.1-1ubuntu1 and
git=1:2.34.1-1ubuntu1.5, the ability to add a submodule using the
local file system broke
## Reproduce ##
docker run -it --rm ubuntu:22.04
apt-get update
apt-get install -y git=1:2.34.1-1ubuntu1.5
git config --global user.email "you at example.com"
git config --global user.name "Your Name"
git config --global init.defaultBranch main
mkdir -p /tmp/foo
mkdir -p /tmp/bar
cd /tmp/bar
git init .
touch hi
git add hi
git commit -m "Init"
cd /tmp/foo
git init .
touch bye
git add bye
git commit -m "Initial"
git submodule add /tmp/bar the_bar
## Expected Output ##
Initialized empty Git repository in /tmp/bar/.git/
[main (root-commit) 7583952] Init
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 hi
Initialized empty Git repository in /tmp/foo/.git/
[main (root-commit) 7ee5648] Initial
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 bye
Cloning into '/tmp/foo/the_bar'...
done.
## Actual Output ##
Initialized empty Git repository in /tmp/bar/.git/
[main (root-commit) 7583952] Init
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 hi
Initialized empty Git repository in /tmp/foo/.git/
[main (root-commit) 7ee5648] Initial
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 bye
Cloning into '/tmp/foo/the_bar'...
fatal: transport 'file' not allowed
fatal: clone of '/tmp/bar' into submodule path '/tmp/foo/the_bar' failed
## Workaround ##
Installing a previous version of git works
apt-get install -y git=1:2.34.1-1ubuntu1 # This works
So somewhere in the last 4 releases, something broke
## apt-cache policy git ##
git:
Installed: 1:2.34.1-1ubuntu1.5
Candidate: 1:2.34.1-1ubuntu1.5
Version table:
*** 1:2.34.1-1ubuntu1.5 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:2.34.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
## lsb_release -rd ##
Description: Ubuntu 22.04 LTS
Release: 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1993586/+subscriptions
More information about the foundations-bugs
mailing list