Multiple Git vulnerabilities in 2.24 and older

Today, the Git project released a series of security patches to address multiple security vulnerabilities in versions 2.24 and older.

These updates are highly recommended for all Git users, but they’re especially critical if you use Git on Windows^[1]. If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating.

If you use Git on another operating system, this update is still highly recommended. However, if you can’t update immediately, here are some things you can do to reduce your risk:

• Avoid running git clone --recurse-submodules and git submodule update with untrusted repositories.
• Avoid running git fast-import on untrusted input streams. It’s still safe to use remote helpers that use git fast-import on the backend (such as git-remote-hg, git-p4).
• Avoid cloning untrusted repositories into NTFS mounts on any platform.

The new releases contain partial support for rejecting pushes that exploit these vulnerabilities, but some cases remain uncovered. It’s important to update, and not rely on hosting providers to block all exploits.

If you use GitHub Enterprise Server, these fixes will be included in the next patch release for all supported versions.

^[1]: CVEs CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, and, CVE-2019-1354 are Windows-specific vulnerabilities that can lead to remote code execution when cloning an untrusted repository. They’re patched only in today’s security releases. CVE-2019-1352 can affect non-Windows users, but only if you mount an NTFS volume.

Download Git 2.24.1

Written by

Taylor Blau

@ttaylorr

Taylor Blau is a Principal Software Engineer at GitHub where he works on Git.