CVE-2019-19604

NameCVE-2019-19604
DescriptionArbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)bullseye1:2.30.2-1+deb11u2fixed
bullseye (security)1:2.30.2-1+deb11u3fixed
bookworm, bookworm (security)1:2.39.5-0+deb12u1fixed
trixie1:2.45.2-1fixed
sid1:2.45.2-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsourcejessie(not affected)
gitsourcestretch(not affected)
gitsourcebuster1:2.20.1-2+deb10u1
gitsource(unstable)1:2.24.0-2

Notes

[stretch] - git <not-affected> (Vulnerable code introduced in v2.20.0-rc0)
[jessie] - git <not-affected> (Vulnerable code introduced in v2.20.0-rc0)
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308
https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0
https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19
Upstream did backport fixes for CVE-2019-19604 to older versions as the introducing
version for sake of robustness/hardening. In particular, the server-side protection
provided by the fsck is useful for protecting unpatched clients that are affected
by the bug.
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md
https://www.openwall.com/lists/oss-security/2019/12/13/1

Search for package or bug name: Reporting problems