December 20, 2014 at 23:37Vulnerability in Git: execution of arbitrary commands
A new critical vulnerability CVE-2014-9390 was discovered in Git, allowing arbitrary commands to be executed on the client.
The essence of the vulnerability is the ability to commit to .Git / config , which is equivalent to the service path .git / config on case-insensitive file systems. This makes it possible to initiate the launch of arbitrary commands on the client. In general, workstations on Windows and Mac OS X are vulnerable, Linux systems will be affected when using case-insensitive file systems.
According to the announcement in the linux-kernel mailing list
On Windows, specific paths can also be displayed in .git , for example, git ~ 1 / config gives access to .git / config . The HFS + file system can also provide access to this path when using Unicode characters, such as .g \ u200cit / config . Similar paths will now be rejected by Git on potentially vulnerable systems. On other systems, such as Linux, it is possible to intentionally enable similar system behavior to provide cross-platform and overall enhancement of security.
You can check for problems with git fsck .
Corrections have already been released:
Interestingly, exploitation of the vulnerability is impossible on GitHub. Employees of the company immediately after the information about the bug banned new malicious commits and checked all existing repositories for the presence of CVE-2014-9390 in them.
The essence of the vulnerability is the ability to commit to .Git / config , which is equivalent to the service path .git / config on case-insensitive file systems. This makes it possible to initiate the launch of arbitrary commands on the client. In general, workstations on Windows and Mac OS X are vulnerable, Linux systems will be affected when using case-insensitive file systems.
According to the announcement in the linux-kernel mailing list
Earlier we allowed to make commits in ".Git / config", however on case-insensitive file systems this would allow writing in ".git / config", which is definitely not the expected behavior of the program. From now on, Git prohibits the use of ".Git" (in any case) in the path.
On Windows, specific paths can also be displayed in .git , for example, git ~ 1 / config gives access to .git / config . The HFS + file system can also provide access to this path when using Unicode characters, such as .g \ u200cit / config . Similar paths will now be rejected by Git on potentially vulnerable systems. On other systems, such as Linux, it is possible to intentionally enable similar system behavior to provide cross-platform and overall enhancement of security.
You can check for problems with git fsck .
Corrections have already been released:
- GitHub for Windows and GitHub for Mac
- The Git core team has released updates for all supported versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).
- Git for Windows (aka MSysGit) has been updated to 1.9.5 .
- Popular libgit2 and JGit libraries have also been updated.
Interestingly, exploitation of the vulnerability is impossible on GitHub. Employees of the company immediately after the information about the bug banned new malicious commits and checked all existing repositories for the presence of CVE-2014-9390 in them.