“If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating”
GitHub has urged users to make “critical” Git project code updates after nine security vulnerabilities were found in the open source version-control system.
It is “especially critical” that Git on Windows users patch fast, GitHub said, with the flaws potentially allowing attackers to “overwrite arbitrary paths, remotely execute code, and/or overwrite files in the .git/ directory”.
The Git project was originally founded to support Linux kernel development. Git is a program that tracks changes made to files. Once installed, Git can be used to create repositories, or a.git/ folder inside a project. Git vulnerabilities in theory could be used to steal sensitive commercial IP, or to sabotage code.
The Git Project Vulnerabilities
Among the vulnerabilities was CVE-2019-1350, which through incorrect quoting of command-line arguments allows remote code execution during a recursive clone in conjunction with SSH URLs, the Git project’s Johannes Schindelin said.
“This is a Windows-only issue, as the vulnerable code is only compiled on Windows. The exploit we found involves a submodule having a name that ends in a backslash, and a maliciously-crafted SSH URL that exploits the bug to pass arbitrary options to `ssh.exe`, allowing remote code to be executed during a recursive clone.”
