CVE-2019-19604

Name	CVE-2019-19604
Description	Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
git (PTS)	bullseye	1:2.30.2-1+deb11u2	fixed
	bullseye (security)	1:2.30.2-1+deb11u3	fixed
	bookworm	1:2.39.2-1.1	fixed
	bookworm (security)	1:2.39.5-0+deb12u1	fixed
	trixie	1:2.45.2-1	fixed
	sid	1:2.45.2-1.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
git	source	jessie	(not affected)
git	source	stretch	(not affected)
git	source	buster	1:2.20.1-2+deb10u1
git	source	(unstable)	1:2.24.0-2

Notes

[stretch] - git <not-affected> (Vulnerable code introduced in v2.20.0-rc0)
[jessie] - git <not-affected> (Vulnerable code introduced in v2.20.0-rc0)
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308
https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0
https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19
Upstream did backport fixes for CVE-2019-19604 to older versions as the introducing
version for sake of robustness/hardening. In particular, the server-side protection
provided by the fsck is useful for protecting unpatched clients that are affected
by the bug.
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md
https://www.openwall.com/lists/oss-security/2019/12/13/1