Corrective releases of the distributed source control system Git 2.35.2, 2.30.3, 2.31.2, 2.32.1, 2.33.2 and 2.34.2 have been published, which fix two vulnerabilities:
- CVE-2022-24765 – On multi-user systems with shared directories, an attack has been identified that could lead to the execution of commands defined by another user. An attacker can create a “.git” directory in places that overlap with other users (for example, in shared directories or directories with temporary files) and place a “.git/config” configuration file in it with the configuration of handlers called when certain tasks are executed. git commands (for example, you can use the core.fsmonitor parameter to organize code execution).
The handlers defined in “.git/config” will be called with the rights of another user if that user uses git in a directory located at a level higher than the “.git” subdirectory created by the attacker. The call can also be made indirectly, for example, when using code editors that support git, such as VS Code and Atom, or when using add-ons that run “git status” (for example, Git Bash or posh-git). In Git 2.35.2, the vulnerability was blocked through changes to the logic for searching for ".git" in underlying directories (the ".git" directory is now not taken into account if it is owned by another user).
- CVE-2022-24767 is a Windows platform-specific vulnerability that allows code execution with SYSTEM privileges when running the Uninstall operation of the Git for Windows program. The problem is caused by the fact that the uninstaller runs in a temporary directory that is writable by system users. The attack is carried out by placing replacement DLLs in a temporary directory, which will be loaded when uninstaller is launched with SYSTEM rights.
Source: opennet.ru