View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 13, 2019updated 16 Dec 2019 10:05am

GitHub Urges “Critical” Updates After Nine Git Vulnerabilities Spotted

"If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating"

By CBR Staff Writer

GitHub has urged users to make “critical” Git project code updates after nine security vulnerabilities were found in the open source version-control system.

It is “especially critical” that Git on Windows users patch fast, GitHub said, with the flaws potentially allowing attackers to “overwrite arbitrary paths, remotely execute code, and/or overwrite files in the .git/ directory”.

The Git project was originally founded to support Linux kernel development. Git is a program that tracks changes made to files. Once installed, Git can be used to create repositories, or a.git/ folder inside a project. Git vulnerabilities in theory could be used to steal sensitive commercial IP, or to sabotage code.

The Git Project Vulnerabilities

Among the vulnerabilities was CVE-2019-1350, which through incorrect quoting of command-line arguments allows remote code execution during a recursive clone in conjunction with SSH URLs, the Git project’s Johannes Schindelin said.

“This is a Windows-only issue, as the vulnerable code is only compiled on Windows. The exploit we found involves a submodule having a name that ends in a backslash, and a maliciously-crafted SSH URL that exploits the bug to pass arbitrary options to `ssh.exe`, allowing remote code to be executed during a recursive clone.”

Read this: Intel SGX Broken by “Plundervolt” Attack

The flaws were discovered and reported by Joern Schneeweisz of GitLab and by the Microsoft Security Response Center. (Microsoft bought GitHub in June 2018 for $7.5 billion and is no doubt keeping a closer eye on Git security).

“If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating”, GitHub noted.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

For admins, the full list of vulnerabilities patched is as follows:

 * CVE-2019-1348:
   The --export-marks option of git fast-import is exposed also via
   the in-stream command feature export-marks=... and it allows
   overwriting arbitrary paths.

 * CVE-2019-1349:
   When submodules are cloned recursively, under certain circumstances
   Git could be fooled into using the same Git directory twice. We now
   require the directory to be empty.

 * CVE-2019-1350:
   Incorrect quoting of command-line arguments allowed remote code
   execution during a recursive clone in conjunction with SSH URLs.

 * CVE-2019-1351:
   While the only permitted drive letters for physical drives on
   Windows are letters of the US-English alphabet, this restriction
   does not apply to virtual drives assigned via subst <letter>:
   <path>. Git mistook such paths for relative paths, allowing writing
   outside of the worktree while cloning.

 * CVE-2019-1352:
   Git was unaware of NTFS Alternate Data Streams, allowing files
   inside the .git/ directory to be overwritten during a clone.

 * CVE-2019-1353:
   When running Git in the Windows Subsystem for Linux (also known as
   "WSL") while accessing a working directory on a regular Windows
   drive, none of the NTFS protections were active.

 * CVE-2019-1354:
   Filenames on Linux/Unix can contain backslashes. On Windows,
   backslashes are directory separators. Git did not use to refuse to
   write out tracked files with such filenames.

 * CVE-2019-1387:
   Recursive clones are currently affected by a vulnerability that is
   caused by too-lax validation of submodule names, allowing very
   targeted attacks via remote code execution in recursive clones.

Read this: Software Patch Management: Tips, Tricks and Stern Warnings

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.