Two Git vulnerabilities affecting local clones and git shell
interactive mode in version 2.38 and older have been recently patched.
Classified as a high severity vulnerability, the git shell
vulnerability may allow an attacker to gain remote code execution by triggering a bug in the function that splits command arguments into an array. Since this function returns an int
to represent the number of entries, the attacker can easily overflow it. This value is then used as the index count for the argv
array passed into execv()
, leading to arbitrary heap writes. This vulnerability can only be exploited when git shell
is enabled a login shell.
To fix this vulnerability:
git shell
is taught to refuse interactive commands that are longer than 4MiB in size.split_cmdline()
is hardened to reject inputs larger than 2GiB.
The second, medium-severity vulnerability exploits symbolic links when doing a local clone to expose sensitive information to an attacker. A local clone is a clone operation where both the source and the target reside on the same volume.
Git copies the contents of the source's
$GIT_DIR/objects
directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via--no-hardlinks
). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine.
This vulnerability can also be triggered when copying a malicious repository embedded via a submodule from any source when using the --recurse-submodules
option.
To fix to this vulnerability, Git will no longer dereference symbolic links and will refuse to clone repositories having symbolic links in the $GIT_DIR/objects
directory.
Both vulnerabilities have been patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4. If upgrading is not an option, there are workarounds that can help in the short-term.
The local clone vulnerability can be avoided by disabling cloning untrusted repositories using the --local
flag. Alternatively, you can explicit pass the no-local
flag to git clone
. Additionally, you should not clone untrusted repositories with the --recurse-submodules
.
The git shell
vulnerability can be avoided by disabling access via remote logins altogether or just disabling interactive mode by removing the git-shell-commands
directory.