CVE-2015-7545 – git: arbitrary code execution via crafted URLs

https://notcve.org/view.php?id=CVE-2015-7545

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule. El (1) git-remote-ext y (2) otros programas de ayuda remotos no especificados en Git en versiones anteriores a 2.3.10, 2.4.x en versiones anteriores a 2.4.10, 2.5.x en versiones anteriores a 2.5.4 y 2.6.x en versiones anteriores a 2.6.1 no restringen correctamente los protocolos permitidos, lo que podría permitir a atacantes remotos ejecutar código arbitrario a través de una URL en un (a) archivo .gitmodules u (b) otras fuentes desconocidas en un submódulo. A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system. • http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html http://rhn.redhat.com/errata/RHSA-2015-2515.html http://www.debian.org/security/2016/dsa-3435 http://www.openwall.com/lists/oss-security/2015/12/08/5 http://www.openwall.com/lists/oss-security/2015/12/09/8 http://www.openwall.com/lists/oss-security/2015/12/11/7 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016&# • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-284: Improper Access Control •