Malicious projects could execute arbitrary script through specially crafted files

UPDATED Git 2.17.12 and Git for Windows 2.17.1 (2) were rolled out yesterday, complete with fixes to a critical vulnerability that could lead to remote code execution (RCE) when a user operates in a malicious repository.

The maintenance releases come after researcher Etienne Stalmans flagged a bug in submodule resolution that could cause git clone --recursive to execute arbitrary commands.

Explanatory patch notes from Git maintainer Junio Hamano read: “Submodule ‘names’ come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths.

“This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names.”

The RCE vulnerability has been assigned CVE-2018-11235.

In a blog post yesterday, Edward Thomson, program manager at Microsoft, said: “The Visual Studio Team Services (VSTS) team takes security issues very seriously, and we encourage all users to update their Git clients as soon as possible to fix this vulnerability.

“To further protect you, our team has blocked these types of malicious repositories from being pushed to VSTS. This will ensure that we cannot be used as a vector for transmitting maliciously crafted repositories to users who have not yet patched their clients for this vulnerability.”

A separate post on Thomson’s personal blog includes Git update instructions for Windows, macOS, and Linux (Debian and Ubuntu) users.

Repo managers

Responding to a request for comment from The Daily Swig, a GitHub spokesperson said: “The security vulnerability in Git was reported to us through our bug bounty program.

“We immediately took measures to patch the vulnerability and blocked malicious content received.

“We’ve also taken measures to protect users that continue to use outdated clients, however, we continue to urge all users to update to the latest version of Git.”

The GitLab repository manager has addressed the issue with new security updates. The Daily Swig has reached out to Bitbucket for comment.

Stalmans – who was credited with a $20,000 reward on GitHub’s HackerOne page last month – said he will publish more details surrounding the vulnerability next week.

This article has been updated to include comments from GitHub.