====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN149
_____________________________________________________________________

DATE                : 10/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Git versions prior to 2.30.2,
                     2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4,
                     2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5,
                     2.17.6, 2.17.6.

=====================================================================
https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
_____________________________________________________________________


malicious repositories can execute remote code while cloning

high


dscho published GHSA-8prw-h3cq-mghm Mar 9, 2021

Package              Git
Affected versions    >= 2.14.2, <= 2.30.1
Patched versions     2.30.2, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5,
                     2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6,
                     2.18.5, 2.17.6, 2.17.6


Description

Impact

A specially crafted repository that contains symbolic links as well as
files using a clean/smudge filter such as Git LFS, may cause
just-checked out script to be executed while cloning onto a
case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the
default file systems on Windows and macOS).

Note that clean/smudge filters have to be configured for that. Git for
Windows configures Git LFS by default, and is therefore vulnerable.


Patches

The problem has been patched in the versions published on Tuesday, March
9th, 2021.


Workarounds

If symbolic link support is disabled in Git (e.g. via git config
--global core.symlinks false), the described attack won't work.

Likewise, if no clean/smudge filters such as Git LFS are configured
globally (i.e. before cloning), the attack is foiled.

As always, it is best to avoid cloning repositories from untrusted
sources.


Credits

Credit for finding and fixing the vulnerability goes to Matheus Tavares
and Johannes Schindelin.


References

    https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/

https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
    https://git-scm.com/docs/gitattributes#_filter
    684dd4c


For more information

If you have any questions or comments about this advisory:

    For public questions, contact the Git mailing list (details at
https://git-scm.com/community)
    To disclose further vulnerabilities privately, contact the
Git-security list by emailing git-security@googlegroups.com



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=3D=3D=3D=3D=3D=3D=3D