Corrective releases of the distributed source control system Git 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4 and 2.14 are published .62.24.1, in which vulnerabilities were fixed that allowed an attacker to rewrite arbitrary paths in the file system, organize remote code execution, or overwrite files in the “.git /” directory. Most of the problems were identified by the Microsoft Security Response Center, five of the eight vulnerabilities specific to the Windows platform.
- CVE-2019-1348 – the stream command “feature export-marks = path” allows you to write labels to arbitrary directories, which can be used to overwrite arbitrary paths in the FS when performing the “git fast-import” operation with unverified input data.
- CVE-2019-1350 – incorrect escaping of command line arguments could lead to remote execution of attacking code during recursive cloning using ssh: // URL.
- CVE-2019-1349 – when recursively cloning submodules (“clone –recurse-submodules”) in a Windows environment, under certain conditions it was possible to initiate the use of one git directory twice (.git, git ~ 1, git ~ 2 and git ~ N NTFS is recognized as a single directory, but this situation was checked only for git ~ 1), which could be used to organize writing to the “.git” directory.
- CVE-2019-1351 – the drive of letter names of disks in Windows paths when translating paths of type “C: \” was designed only to replace single-letter Latin identifiers, but did not take into account the possibility of creating virtual disks assigned through “subst letter: path”.
- CVE-2019-1352 – when working on the Windows platform, the use of alternative data streams in NTFS created by adding the “: stream-name: stream-type” attribute to the file name made it possible to overwrite files in the “.git /” directory when cloning a malicious repository.
- CVE-2019-1353 – when using Git in the WSL (Windows Subsystem for Linux) environment, access to the working directory did not apply protection against NTFS name manipulation (attacks through translation of FAT names were possible, for example, you could refer to “.git” through the git ~ 1 directory).
- CVE-2019-1354 – the ability to write to the “.git /” directory on a Windows platform when cloning malicious repositories containing files with a backslash in the name (for example, “a \ b”), which is valid on Unix / Linux, but is perceived as part of the way in windows.
- CVE-2019-1387 – insufficient verification of submodule names could be used to organize targeted attacks that could potentially lead to the execution of attacker code when recursively cloned.
Windows users are advised to urgently upgrade the version of Git, and to refrain from cloning unverified repositories before the update. If there is no possibility to urgently update the version of Git, then to reduce the risk of attack, it is recommended not to run “git clone –recurse-submodules” and “git submodule update” with unchecked repositories, not to use “git fast-import” with unchecked input streams and Clone repositories into NTFS-based partitions.
Get more info at the mailing.