A critical vulnerability has been identified in Git (CVE-2021-29468), which manifests itself only when building for the Cygwin environment (a library for emulating the basic Linux API in Windows and a set of typical linux programs for Windows). The vulnerability allows attacker code to be executed when extracting data (βgit checkoutβ) from a repository controlled by the attacker. The issue has been fixed in git 2.31.1-2 for Cygwin. In the main Git project, the problem has not been fixed yet (it is unlikely that someone builds git for Cygwin on their own, rather than using a ready-made package).
The vulnerability is caused by Cygwin's environment being treated as a Unix-like system rather than Windows, which results in no restrictions on the use of the '\' character in a path, while in Cygwin, as in Windows, this character can be used to separate directories. As a result, by creating a specially modified repository containing symbolic links and files with a backslash character, it is possible to overwrite arbitrary files when loading this repository in Cygwin (in Git for Windows, a similar vulnerability was fixed in 2019). Given the ability to overwrite files, an attacker can override git hooks and cause arbitrary code to be executed on the system.
Source: opennet.ru