Git security vulnerability announced
Upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.
Today, the Git project released new versions which address a pair of security vulnerabilities.
GitHub is unaffected by these vulnerabilities1. However, you should be aware of them and upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.
CVE-2022-24765
This vulnerability affects users working on multi-user machines where a malicious actor could create a .git
directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config
, which would cause all git
invocations that occur outside of a repository to read its configured values.
Since some configuration variables (such as core.fsmonitor
) cause Git to execute arbitrary commands, this can lead to arbitrary command
execution when working on a shared machine.
The most effective way to protect against this vulnerability is to upgrade to Git v2.35.2. This version changes Git’s behavior when looking for a top-level .git
directory to stop when its directory traversal changes ownership from the current user. (If you wish to make an exception to this behavior, you can use the new multi-valued safe.directory
configuration).
If you can’t upgrade immediately, the most effective ways to reduce your risk are the following:
- Define the
GIT_CEILING_DIRECTORIES
environment variable to contain the parent directory of your user profile (i.e.,/Users
on macOS,
/home
on Linux, andC:\Users
on Windows). - Avoid running Git on multi-user machines when your current working directory is not within a trusted repository.
Note that many tools (such as the Git for Windows installation of Git Bash, posh-git, and Visual Studio) run Git commands under the hood. If you are on a multi-user machine, avoid using these tools until you have upgraded to the latest release.
Credit for finding this vulnerability goes to 俞晨东.
[source]
CVE-2022-24767
This vulnerability affects the Git for Windows uninstaller, which runs in the user’s temporary directory. Because the SYSTEM
user account inherits the
default permissions of C:\Windows\Temp
(which is world-writable), any authenticated user can place malicious .dll
files which are loaded when
running the Git for Windows uninstaller when run via the SYSTEM
account.
The most effective way to protect against this vulnerability is to upgrade to Git for Windows v2.35.2. If you can’t upgrade
immediately, reduce your risk with the following:
- Avoid running the uninstaller until after upgrading
- Override the
SYSTEM
user’sTMP
environment variable to a directory which can only be written to by theSYSTEM
user - Remove unknown
.dll
files fromC:\Windows\Temp
before running the
uninstaller - Run the uninstaller under an administrator account rather than as the
SYSTEM
user
Credit for finding this vulnerability goes to the Lockheed Martin Red Team.
[source]
Download Git 2.35.2
-
GitHub does not run
git
outside of known repositories, so is not susceptible to the attack described byCVE-2022-24765
. Likewise, GitHub does not use Git for Windows, and so is unaffected byCVE-2022-24767
entirely. ↩
Tags:
Written by
Related posts
Game Off 2024 theme announcement
GitHub’s annual month-long game jam, where creativity knows no limits! Throughout November, dive into your favorite game engines, libraries, and programming languages to bring your wildest game ideas to life. Whether you’re a seasoned dev or just getting started, it’s all about having fun and making something awesome!
Highlights from Git 2.47
Git 2.47 is here, with features like incremental multi-pack indexes and more. Check out our coverage of some of the highlights here.
Leading the way: 10 projects in the Open Source Zone at GitHub Universe 2024
Let’s take a closer look at some of the stars of the Open Source Zone at GitHub Universe 2024 🔎