Amazon Linux AMI update for git

1) Input validation error

EUVDB-ID: #VU32315

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2015-7545

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.

Mitigation

Update the affected packages:

i686:
    git-debuginfo-2.4.3-7.42.amzn1.i686
    git-daemon-2.4.3-7.42.amzn1.i686
    git-svn-2.4.3-7.42.amzn1.i686
    git-2.4.3-7.42.amzn1.i686

noarch:
    git-email-2.4.3-7.42.amzn1.noarch
    emacs-git-2.4.3-7.42.amzn1.noarch
    git-hg-2.4.3-7.42.amzn1.noarch
    git-all-2.4.3-7.42.amzn1.noarch
    gitweb-2.4.3-7.42.amzn1.noarch
    emacs-git-el-2.4.3-7.42.amzn1.noarch
    git-p4-2.4.3-7.42.amzn1.noarch
    perl-Git-2.4.3-7.42.amzn1.noarch
    git-bzr-2.4.3-7.42.amzn1.noarch
    git-cvs-2.4.3-7.42.amzn1.noarch
    perl-Git-SVN-2.4.3-7.42.amzn1.noarch

src:
    git-2.4.3-7.42.amzn1.src

x86_64:
    git-debuginfo-2.4.3-7.42.amzn1.x86_64
    git-daemon-2.4.3-7.42.amzn1.x86_64
    git-2.4.3-7.42.amzn1.x86_64
    git-svn-2.4.3-7.42.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

• cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2015-613.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.