Git security vulnerability announced

All: the originally submitted URL was <a href="https:&#x2F;&#x2F;github.com&#x2F;git&#x2F;git&#x2F;commit&#x2F;8959555cee7ec045958f9b6dd62e541affb7e7d9" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;git&#x2F;git&#x2F;commit&#x2F;8959555cee7ec045958f9b6dd6...</a>. Readers are divided about which link is better, which probably means you should read both to understand the thread.

<i>&gt; Run the uninstaller under an administrator account rather than as the SYSTEM user</i><p>How do I run something as SYSTEM? I thought I always ran as &quot;me&quot; or Administrator. Is this only likely to happen for deployment automation tools?<p><i>&gt; Avoid running the uninstaller until after upgrading</i><p>Don&#x27;t leave us with this cliff-hanger... Does the upgrade installer run the uninstaller first? (The original report doesn&#x27;t have this bullet point.)

The Windows-specific &#x27;vulnerability&#x27; is weird. For one, it&#x27;s part of the <i>uninstaller</i>, which isn&#x27;t a common scenario, and secondly... C:\Windows\Temp isn&#x27;t even writable by unprivileged users by default, it&#x27;s not even <i>readable</i> by unprivileged users by default (on my relatively fresh Windows 11 system, at least).

&gt; Merely navigating to such a space with a Git-enabled `PS1` when there is a maliciously-crafted `&#x2F;scratch&#x2F;.git&#x2F;` can lead to a compromised account.<p>I&#x27;m curious about this -- what&#x27;s the attack vector here?

This is bullshit. I mean, ok, you are concerned about somebody using git-enabled PS1. Guess what, not everyone is using git-enabled PS1. Unbelievable, right? I would even mock the fact that you are trying to protect users from the behavior they pretty much explicitly allowed, but this is pointless. Truth is, developers are doing something that can fuck up their system daily. Let&#x27;s forget about wget | bash and copying completely untrusted git repositories (and it&#x27;s pretty much guaranteed that everybody using git-enabled PS1 won&#x27;t shy away from that). Just using composer or npm is enough to compromise your system. &quot;Fixing&quot; this is like introducing DRM: you cannot do arbitrary unsafe stuff without doing arbitrary unsafe stuff. And there simply are people out there, who want to do arbitrary unsafe stuff.<p>But ok, let&#x27;s not take it as an excuse. How about fixing git, then? I mean, actually fixing: making it possible to disable hooks &amp; core.fsmonitor &amp; whatever else they fucked up? No, right, let&#x27;s just disable git instead.<p>And if I&#x27;m reading this correctly, I&#x27;m not even allowed to say &quot;I don&#x27;t care&quot; — I must explicitly mark every shared directory as trusted (I mean, safe.directory = &#x27;&#x2F;&#x27; won&#x27;t work unless &#x2F; is actually a git directory, right?).<p>I guess I just shouldn&#x27;t update git until this &quot;fix&quot; is fixed. Or until git is forked.

is_path_owned_by_current_uid(const char *path) isn&#x27;t symlink safe given a multi-component path.<p>Symlinks, the poisonous gift that keeps on giving.

Well, depending on exactly how much this blocks, this could get pretty awkward -- typing &#x27;git log&#x27; in a repo owned by someone else can be awfully handy, even if file system permissions block changing it at all, and putting together a list of all places you might want to do this in advance could get pretty awkward. (Not running hooks, or allowing operations that would trigger them, from non-owned directories would preserve some of this usage, and still at least mitigate the dangerous cases somewhat.)<p>It&#x27;s also not entirely clear to me what this does to site-wide shared remotes, though I suppose if they can be listed in system config, it&#x27;s at least not a <i>per-user</i> hassle.

Question for Mac users. Apple installs git with its command line tools and is currently at version 2.32. Is it wise to install git via Homebrew so that you can upgrade faster? Or are there some benefits from apple-git?

Did the link get changed? I can&#x27;t find anything of what anyone is talking about in this github.blog post.

If you can create a .git directory above a victim&#x27;s home directory, then you&#x27;re root.<p>Or else, if you&#x27;re not root, you&#x27;re in messed up system. Whoever is root should go read some 40-year-old book on Unix about how it&#x27;s supposed to be laid out.<p>This is not a genuine <i>security</i> vulnerability; though of course, it&#x27;s good to fix it.<p>Here is how I would fix it. Forget about permissions and ownership entirely. There is a weaker, more powerful condition we can check. Ready?<p><i>Git should terminate if it is executed from a subdirectory of a git repo that contains no tracked files according to the first .git&#x2F; directory that it finds while ascending the file system.</i><p>If you&#x27;re in a directory that contains no files that are tracked by the closest .git&#x2F; that can be found by walking up the stairs, then that directory has no relationship to that repo. Git should diagnose that and bail out. (It could allow files in that directory to be added to the index, but only with -f option to force it.)<p>If git finds a .git&#x2F; dir, and that repo&#x27;s index shows that at least one item in, or below, your working directory is in that repo&#x27;s index, it should go ahead and work with it, regardless of ownership.

I shouldn’t ask too much of an open source project, etc. etc., but this sounds like something Git should fix themselves rather than just outright disabling. “I want to go into a directory and run git log” is kind of a simple thing to want to do and to not be able to do that sucks. It’s easy to pontificate on this forum but having a “safe” git that doesn’t automatically run hooks or whatever seems like the way forward here, and useful outside of even just a “I want my PS1 to work”.

What is a scenario where you’d be running git in the subdirectory of one owned by a malicious user? Unless a machine is badly configured and administrated, when would one user ever have authority of ownership over &#x2F;home or &#x2F;opt or &#x2F;? And if they have sudo privileges well then they have the authority to do whatever they want. Is this only an issue because of some Windows idiom? I’m somewhat dubious.

Here is a quick fix to prevent system-wide exploits, salt to taste:<p><pre><code> $ grep GIT_CEILING_DIRECTORIES ~&#x2F;.bashrc export GIT_CEILING_DIRECTORIES=$HOME:&#x2F;var&#x2F;www </code></pre> But malicious Git repos could still affect your user profile. You can harden that by putting all git repos in a sandbox, e.g.:<p><pre><code> export GIT_CEILING_DIRECTORIES=$HOME&#x2F;sandbox</code></pre>

This &quot;fix&quot; breaks deployments where files are checked out as the root user and then chowned to an app-specific user. Any subsequent action as the root user will fail.<p>It seems they forgot to provide an exception for the root user or a way to disable this &quot;feature&quot; on a global level, instead of per-directory.

&gt;This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory<p>If a malicious actor has access to the filesystem, isn&#x27;t it a bigger problem? I remember Raymond Chen recounted in his blog that Microsoft usually dismisses vulnerability reports that start with &quot;to use the exploit, you must have access to the machine&quot;. As he likes to say, &quot;the gates are already open&quot;. If you already have access to the machine and can create files outside of your home directory, what stops you from causing even greater havoc?

Will Ubuntu update to v2.35.2? My current install is using the elder v2.25.1:<p><pre><code> ubuntu@vpn1:$ git --version git version 2.25.1 ubuntu@vpn1:$ cat &#x2F;etc&#x2F;os-release NAME=&quot;Ubuntu&quot; VERSION=&quot;20.04.4 LTS (Focal Fossa)&quot; ID=ubuntu ID_LIKE=debian PRETTY_NAME=&quot;Ubuntu 20.04.4 LTS&quot; VERSION_ID=&quot;20.04&quot; HOME_URL=&quot;https:&#x2F;&#x2F;www.ubuntu.com&#x2F;&quot; SUPPORT_URL=&quot;https:&#x2F;&#x2F;help.ubuntu.com&#x2F;&quot; BUG_REPORT_URL=&quot;https:&#x2F;&#x2F;bugs.launchpad.net&#x2F;ubuntu&#x2F;&quot; PRIVACY_POLICY_URL=&quot;https:&#x2F;&#x2F;www.ubuntu.com&#x2F;legal&#x2F;terms-and-policies&#x2F;privacy-policy&quot; VERSION_CODENAME=focal UBUNTU_CODENAME=focal</code></pre>

Was this change discussed publicly prior to merge?<p>I think this is a big mistake. Build environments use separate users for security purposes. It&#x27;s insane to decrease security for everyone by requiring a single user to do everything because some of your users want to have fancy terminal prompts.<p>At the very least, let users configure this at a per-user level.

Shouldn&#x27;t `safe_directory_cb` be checking the key parameter? It&#x27;s ignoring it completely. So any unrelated config that has a directory in its value will also mark it as safe. Unless I&#x27;m misunderstanding something?

The more I think about it, the more I think this is the right call. The only alternative would be something like falling back to running with no hooks and printing a warning to stderr indicating that there are disabled hooks. Actions that modify that repository should also be disabled in that case. Then there should be a command like &#x27;git hooks trust&#x27; that adds the directory to the user&#x27;s list of trusted folders.

And .... there go probably tens of thousands of person-hours of human effort due to fixing this across huge numbers of systems.<p>It&#x27;s fascinating to me that we have people out there just casually making these kind of decisions with enormous cost implications with barely any thought to the downstream implications. Then meanwhile, we need approval in our org to claim a $30 taxi voucher as an expense.

Related: <a href="https:&#x2F;&#x2F;blog.sonarsource.com&#x2F;securing-developer-tools-git-integrations&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.sonarsource.com&#x2F;securing-developer-tools-git-in...</a> (&quot;Securing Developer Tools: Git Integrations&quot;)

Ah, so this is why my simple github release action randomly stopped working today... awesome

There&#x27;s something super jarring about the format of this blog post. I think my brain has been trained to glaze over whenever it runs into corporate abstract art at the top of a page.

Interestingly if you&#x27;re on Windows, then Chocolatey is the better package manager to use.<p>Microsoft&#x27;s own package manager Winget only has v2.34.1 right now.<p>Chocolatey <a href="https:&#x2F;&#x2F;community.chocolatey.org&#x2F;packages&#x2F;git#versionhistory" rel="nofollow">https:&#x2F;&#x2F;community.chocolatey.org&#x2F;packages&#x2F;git#versionhistory</a><p>Winget <a href="https:&#x2F;&#x2F;winget.run&#x2F;pkg&#x2F;Git&#x2F;Git" rel="nofollow">https:&#x2F;&#x2F;winget.run&#x2F;pkg&#x2F;Git&#x2F;Git</a>

When people ask me why I don&#x27;t have a &quot;git-aware&quot; PS1, I shall point them to this CVE in the future.

Doesn’t homebrew typically get setup as a different user? How’s that going to work?

This feels like a thing that should be introduced default-off, allowing users to opt in to it first, and once it&#x27;s been in place update the default, rather than break things suddenly when updating without being able to share a git config between systems which don&#x27;t upgrade simultaneously.

I feel like this doesn&#x27;t have much to do with Git specifically. Seems to me like PS1 needs to avoid accessing files that aren&#x27;t owned by the current user. Easier said than done though...

Awesome thanks for that !

Don’t make tools use processes for “plug-in behavior”. Do one thing and do it well doesn’t really appeal to me to begin with but “let the first thing do the next thing on its own” is definitely a bastardization of that idea as well. Git has that Unix disease where the go to method of getting anything user configurable done with one program is launching <i>another program</i>. I’d much rather use tools that use huge convoluted script languages or good plug-in apis than tools that duct tape together with exit codes.

Deep inside some large enterprise company:<p>Jr Engineer: &quot;Hey, I know we&#x27;ve always managed our little dotnet application via email and shared-network-drive, but I&#x27;ve been reading about a thing called &quot;git&quot; that we should probably use.&quot;<p>Sr Engineer: &quot;Change is scary and bad, also we are not a software company. We&#x27;re not going to learn some newfangled whatsit. Just email me the .vba files when you want me to review the changes with the one copy of visual studio 2008 that our team has access to.&quot;<p>Jr Engineer: &quot;C&#x27;mon, give it a chance! We can leave everything the way its always been, but have better tracking of changes. Remember that time Bruno hard coded the tool to point to the C: drive? Git would let us just undo that, instead of having to search our emails for the last-most-recent version.&quot;<p>Sr Engineer: &quot;Ok fine, I&#x27;ve got 10 minutes, show me.&quot;<p>Jr Engineer: &quot;Ahh! Well I just got it installed, so let me go to the network drive... and then I think I have to git init our project folder... huh? Let me just... Maybe if I...&quot;<p>Sr Engineer: &quot;Times up! Looks like this &quot;git&quot; thing isn&#x27;t compatible with our setup after all. Those modern dev types never make anything that works in a real enterprise environment.&quot;

It mildly bugs me that things like this are reported as &quot;Git Security Vuln&quot;.<p>CVE-12345: insecure use of consumer grade operating system in multi-user role when expecting any form of real isolation<p>CVE-12346: faulty system administration techniques, including running anything as SYSTEM, can cause things to run with elevated privileges<p>CVE-12347: failure to secure root (C:) and important system directories can allow malicious actors to access them. This can be exploited to trick other parts of the system into doing ... things.<p>I don&#x27;t mind patching git <i>for windows</i> to workaround these things, but sheesh, the root cause of both of these is people using Windows incorrectly&#x2F;insecurely.

This is silly. Fix PS1, I can’t trust all repos I clone. I also want to cross-user access git log&#x2F;blame etc.

This feels really pointless. If I can create &#x2F;.git, I have root already. Any other parent-directory-escalation that I can think of would be so obscure as to be not worth caring about, and would also probably require having access to an already-higher-privilege account.<p>And of course the unspoken: almost nobody uses git on multi user systems, and when they do, most of the time every single user already has sudo.

This certainly came as a surprise to my team today.<p>We operate some number of repositories and the majority of them use <a href="https:&#x2F;&#x2F;github.com&#x2F;actions-ecosystem&#x2F;action-get-latest-tag" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;actions-ecosystem&#x2F;action-get-latest-tag</a> - or more specifically, a fork of that repo which more or less works the same way.<p>Midday today our CI&#x2F;CD started failing. We must have hit this so soon because the `apk add git` in that Dockerfile grabbed the new git version. Evidently the SID that ultimately executed the git command inside the included actions&#x27; dockerfile was not the same as the one that owned `&#x2F;github&#x2F;workspace` on the runner.<p>We were able to patch around using the new `safe.directory` option, but I&#x27;m curious to see if there&#x27;s more fallout since CI&#x2F;CD environments in particular create this sort of shared repository.

Fuck. Now the security guys are going to break all my shit.

Just run your git checkouts in a container and then link the volume to other containers! &#x2F;s