Git security vulnerabilities announced
Git users are encouraged to upgrade to the latest version, especially if they use `git apply` or `git clone` against untrusted patches or repositories.
Today, the Git project released new versions to address a pair of security vulnerabilities, (CVE-2023-22490 and CVE-2023-23946) that affect versions 2.39.1 and older. These affect Git’s local clone optimization, as well as git apply
, respectively.
CVE-2023-22490
When cloning a repository, Git selects and uses a transport mechanism appropriate for the URL scheme of your clone. When cloning a local repository, however, Git instead uses a separate local clone optimization copying files directly from the source to destination.
A specially-crafted repository can trick Git into using its local clone optimization when using a non-local transport. Git will abort clones from repositories whose $GIT_DIR/objects
directory contains a symbolic link. However, the top-level $GIT_DIR/objects
directory may itself be a symbolic link.
These two may be combined to include arbitrary files based on known paths from a victim’s filesystem into the clone’s working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.
[source]
CVE-2023-23946
Git allows for applying arbitrary patches to your repository’s history with git apply
. In order to prevent malicious patches from creating files outside of the working copy, git apply
rejects patches which attempt to write a file beyond a symbolic link.
However, this mechanism can be tricked when the malicious patch creates that symbolic link in the first place. This can be leveraged to write arbitrary files on a victim’s filesystem when applying malicious patches from untrusted sources.
[source]
Upgrade to the latest Git version
The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.2. If you can’t update immediately, reduce your risk by taking the following steps:
- Avoid running
git clone
with--recurse-submodules
against untrusted repositories. - Avoid running
git apply
/git am
on input from untrusted sources.
If submodules are required by your workflow, you can clone each layer of submodules iteratively after inspecting each .gitmodules
file to ensure that it does not contain suspicious module URLs.
If you are unsure about whether or not it is safe to apply a patch, you can inspect its contents with git apply --stat
. Avoid applying patches that create a symbolic link and a file beyond that link.
In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we:
- Implemented mitigation steps to prevent GitHub.com from being used as an attack vector in CVE-2023-22490 and CVE-2023-23946.
- Scheduled a GitHub Desktop release for later today, February 14, that prevents the exploitation of this vulnerability.
- Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git.
- Scheduled updates to GitHub Enterprise Server with patched versions of Git.
Credit for CVE-2023-22490 goes to yvvdwf, and credit for CVE-2023-23946 goes to Joern Schneeweisz of GitLab. Fixes were contributed by Taylor Blau of GitHub and Patrick Steinhardt of GitLab, respectively, with additional feedback and review from members of the git-security list.
Tags:
Written by
Related posts
What the EU’s new software legislation means for developers
The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.
Game Off 2024 theme announcement
GitHub’s annual month-long game jam, where creativity knows no limits! Throughout November, dive into your favorite game engines, libraries, and programming languages to bring your wildest game ideas to life. Whether you’re a seasoned dev or just getting started, it’s all about having fun and making something awesome!
Highlights from Git 2.47
Git 2.47 is here, with features like incremental multi-pack indexes and more. Check out our coverage of some of the highlights here.