corrective releases of distributed source control system Git 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4 and 2.14.62.24.1, which fixed vulnerabilities that could allow an attacker to rewrite arbitrary paths in the file system, organize remote code execution or overwrite files in the ".git/" directory. Most of the problems are identified by employees
Microsoft Security Response Center, five of the eight vulnerabilities are specific to the Windows platform.
- - stream command "feature export-marks=path" write tags to arbitrary directories, which can be used to rewrite arbitrary file paths when doing a "git fast-import" operation with unverified inputs.
- - incorrect escaping of command line arguments to remote execution of the attacker's code during recursive cloning using the ssh:// URL. In particular, the escaping of arguments ending in a backslash (for example, "test \") was handled incorrectly. In this case, when framing the argument with double quotes, the last quote turned out to be escaped, which made it possible to organize the substitution of its options on the command line.
- - when recursively cloning submodules ("clone --recurse-submodules") in a Windows environment under certain conditions force the use of the same git directory twice (.git, git~1, git~2 and git~N are recognized as a single directory in NTFS, but this situation has only been tested for git~1), which could be used to write to the ".git" directory. To organize the execution of their code, an attacker, for example, can substitute his script through the post-checkout handler in the .git/config file.
- β the handler for letter drive names in Windows paths when translating paths like "C:\" was designed only to replace single-letter Latin identifiers, but did not take into account the possibility of creating virtual drives assigned via "subst letter:path". Such paths were processed not as absolute, but as relative paths, which made it possible, when cloning a malicious repository, to organize writing to an arbitrary directory outside the working directory tree (for example, when using numbers or unicode characters in the disk name - "1:\what\the\hex.txt" or "Γ€:\tschibΓ€t.sch").
- - when working on the Windows platform, the use of alternative data streams in NTFS, created by adding the sign ":stream-name:stream-type" to the file name, overwrite files in the ".git/" directory when cloning a malicious repository. For example, the name ".git::$INDEX_ALLOCATION" on NTFS was treated as a valid reference to the ".git" directory.
- - when using Git in a WSL (Windows Subsystem for Linux) environment when accessing the working directory protection against name manipulation in NTFS (attacks were possible through FAT name translation, for example, β.gitβ could be accessed through the βgit~1β directory).
- β
writing to the ".git/" directory on Windows when cloning malicious repositories containing files with a backslash in their name (e.g. "a\b"), which is valid on Unix/Linux but is treated as part of the path on Windows. - - insufficient checking of submodule names could be used to organize targeted attacks, which, when recursively cloned, could potentially to execute the attacker's code. Git did not prohibit creating a submodule directory in the directory of another submodule, which in most cases only leads to confusion, but potentially does not preclude overwriting the contents of another module in the process of recursive cloning (for example, the submodule directories "hippo" and "hippo/hooks" are placed as ".git/modules/hippo/" and ".git/modules/hippo/hooks/", and the hooks directory in hippo can be separately used to place triggered hooks .
Windows users are advised to urgently update their Git version and refrain from cloning unverified repositories until the update. If it is not yet possible to urgently update the Git version, then to reduce the risk of attack, it is recommended not to run "git clone --recurse-submodules" and "git submodule update" with unchecked repositories, do not use "git fast-import" with unchecked input streams, and do not clone repositories to NTFS-based partitions.
For added protection, newer releases also disable constructs in the form "submodule.{name}.update=!command" in .gitmodules. For distributions, you can follow the release of package updates on the pages ,, , , , , , .
Source: opennet.ru