Vulnerability in Git: execution of arbitrary commands

    A new critical vulnerability CVE-2014-9390 was discovered in Git, allowing arbitrary commands to be executed on the client.

    The essence of the vulnerability is the ability to commit to .Git / config , which is equivalent to the service path .git / config on case-insensitive file systems. This makes it possible to initiate the launch of arbitrary commands on the client. In general, workstations on Windows and Mac OS X are vulnerable, Linux systems will be affected when using case-insensitive file systems.

    According to the announcement in the linux-kernel mailing list
    Earlier we allowed to make commits in ".Git / config", however on case-insensitive file systems this would allow writing in ".git / config", which is definitely not the expected behavior of the program. From now on, Git prohibits the use of ".Git" (in any case) in the path.

    On Windows, specific paths can also be displayed in .git , for example, git ~ 1 / config gives access to .git / config . The HFS + file system can also provide access to this path when using Unicode characters, such as .g \ u200cit / config . Similar paths will now be rejected by Git on potentially vulnerable systems. On other systems, such as Linux, it is possible to intentionally enable similar system behavior to provide cross-platform and overall enhancement of security.

    You can check for problems with git fsck .

    Corrections have already been released:

    Interestingly, exploitation of the vulnerability is impossible on GitHub. Employees of the company immediately after the information about the bug banned new malicious commits and checked all existing repositories for the presence of CVE-2014-9390 in them.

    Also popular now: