A security vulnerability in Git that can lead to arbitrary code execution

A few important points that aren&#x27;t mentioned in the post:<p>- you have to tell git to use submodules for this to trigger (so `clone --recurse-submodules` or a manual `git submodule update --init`)<p>- credit for discovery goes to Etienne Stalmans, who reported it to GitHub&#x27;s bug bounty program<p>- most major hosters should prevent malicious repositories from being pushed up. This is actually where most of the work went. The fix itself was pretty trivial, but detection during push required a lot of refactoring. And involved many projects: I wrote the patches for Git itself, but others worked on libgit2, JGit, and VSTS.

The monthly security release for GitLab was today, and this release was coordinated with the Git security release. <a href="https:&#x2F;&#x2F;about.gitlab.com&#x2F;2018&#x2F;05&#x2F;29&#x2F;security-release-gitlab-10-dot-8-dot-2-released&#x2F;" rel="nofollow">https:&#x2F;&#x2F;about.gitlab.com&#x2F;2018&#x2F;05&#x2F;29&#x2F;security-release-gitlab-...</a><p>In addition to our recently implemented monthly non-critical security release process (we already had a critical release process before), we are making a number of changes in how we secure GitLab.com, which includes expanding our HackerOne program this year to be a public bounty program. As always, we appreciate the contributions of security researchers.

The initial Git for Windows 2.17.1 releases published on GitHub earlier today [0] apparently didn&#x27;t include the patch. So just a heads up if you updated right after this was published: You probably want to make sure you have the fixed version (2.17.1.windows.2) [1]<p>Not sure why the erroneous releases haven&#x27;t been removed? Seems a bit confusing.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;git-for-windows&#x2F;git&#x2F;releases&#x2F;tag&#x2F;v2.17.1.windows.1" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;git-for-windows&#x2F;git&#x2F;releases&#x2F;tag&#x2F;v2.17.1....</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;git-for-windows&#x2F;git&#x2F;releases&#x2F;tag&#x2F;v2.17.1.windows.2" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;git-for-windows&#x2F;git&#x2F;releases&#x2F;tag&#x2F;v2.17.1....</a>

Perhaps it would be best if sensitive options such as the post-checkout hook could only be stored outside of the repository altogether. Given this vulnerability and the semi-recent .GiT&#x2F;config vulnerability[0], I would not be surprised if other attack vectors are lurking under the surface.<p>Storing config data outside the repo would not be a foolproof solution, but it would probably make things a little safer. (Having the &lt;repo_root&gt;&#x2F;.git folder has always felt a little bit &quot;in-band&quot; to me, and I don&#x27;t like it.)<p>[0]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8769667" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8769667</a>

The correct CVE numbers are CVE 2018-11233 and CVE 2018-11235. The microsoft blog mentions 11234, but thats not the git vulnerability.

Another reason to train yourself to always think before you execute code you found on a site.<p>Too many of us are so used to <i>git clone</i>&#x27;ing a repo and building the software with <i>make</i> or its descendants that we overlook the security considerations.

Over the past few years there&#x27;s been a few vulnerabilities in Git that result from an attacker injecting hooks into a repo. I wonder whether it&#x27;d be possible &#x2F; worthwhile to disable hooks by default, and only enable them on a per-repo basis.<p>Of course, then the goal just becomes attacking that whitelist, and all the complexity that comes with that. Security is hard.

After reading the responses to my previous question, I&#x27;d like to know if there&#x27;s a global way to turn off post-checkout hooks.<p>None of the use-cases I read are convincing enough to allow `git clone` to do anything but what its short man description says.<p>I&#x27;m not even thinking about security, just basic separation of concerns. If `git clone` leaves a script-hooked repo in an unusable state for building, I want to know up front so I can complain to the maintainer and get that problem fixed.

What&#x27;s a (common) example use case for a post-checkout hook?

I&#x27;m sure there are security experts out there who managed to create tools that scans source code to find eventual security vulnerabilities.<p>Although I&#x27;m not sure those tools could &#x27;find&#x27; and build a vuln, but there could be ways to analyze an algorithm, and detect that it can do dangerous things it&#x27;s not not supposed to do. A little like static analysis works.<p>I&#x27;m sure those tools are already built by the NSA at least, so they just have to peek into github repos, point out what code is vulnerable, give it to some developer to make an exploit. Done.<p>That way the NSA would clearly wins the cyber arms race, versus those pairs of eyes Torvalds was being quoted for, would surely be obsoleted.

Cached since I can&#x27;t load the page: <a href="https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:CO48Rd83tw0J:https:&#x2F;&#x2F;blogs.msdn.microsoft.com&#x2F;devops&#x2F;2018&#x2F;05&#x2F;29&#x2F;announcing-the-may-2018-git-security-vulnerability&#x2F;+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=uk" rel="nofollow">https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:CO48Rd...</a>

So to an extent, this is bad, you can be compromised by a malicious git repo, however given that most people already trust code cloned from git (or acquired from similarly untrusted sources like npm, rubygems, maven central etc) it may not change the equation that much.<p>If you run code without trusting the author, you&#x27;re likely going to have a bad time.

Hmm - the &quot;official&quot; git PPA isn&#x27;t updated yet: <a href="https:&#x2F;&#x2F;launchpad.net&#x2F;~git-core&#x2F;+archive&#x2F;ubuntu&#x2F;ppa" rel="nofollow">https:&#x2F;&#x2F;launchpad.net&#x2F;~git-core&#x2F;+archive&#x2F;ubuntu&#x2F;ppa</a>. Wonder if this due to dependencies or oversight?

Am I the only one who didn&#x27;t even know git submodules and recursive clones were a thing?

What the link doesn&#x27;t mention, that I can see, is what the first version affected was. Does this bug go back to the inroduction of submodules in git?

Page is down -- anyone have a mirror?

It&#x27;s probably not worth upgrading anyways.

What I really love about this is that they give details of the vulnerability. They never do this in any Microsoft security advisories.<p>Guess when it&#x27;s not your direct product this is OK.