- Регистрация
- 09.02.2010
- Сообщения
- 270
- Реакции
- 41
- Баллы
- 28
- Native language | Родной язык
- English
Today, the Git project
Git was also patched to address additional, Windows-specific vulnerabilities:
To protect against CVE-2023-25652 and CVE-2023-29007, users are encouraged to upgrade immediately. The former may be used to perform controlled content writes at arbitrary paths with
The Windows-specific issues affect users on multi-user machines, users working in Git CMD, and users leveraging the SOCKS5 proxy
When applying patches with
However, this fix was incomplete: when using
[
Git’s implementation used to rename or delete sections of a configuration file contained a logic error that resulted in improperly treating configuration values longer than a fixed length as containing new sections.
This can result in arbitrary configuration injection into a user’s
This vulnerability may be exploited by using overly-long submodule URLs, which are stored in a user’s
[
A recent change in one of the packages shipped with Git for Windows caused the
Using obscure message formatting features, this allows out-of-bound memory writes, which can be used to cause crashes.
This vulnerability affects users working on Windows machines to which other, untrusted parties have write access. Typically, all authenticated users have permission to create folders in
[
A similar vulnerability (as above) exists in Git for Windows’s
The location of connect.exe’s configuration file is hard-coded to a path that is typically interpreted as
[
Lastly, Git for Windows’s “Git CMD” program incorrectly searches for a program called
This vulnerability is similar to the one that led to Git CMD being deprecated temporarily in Git for Windows v2.19.2, but is contained to the directory in which Git CMD is started.
[
The most effective way to protect against these vulnerabilities is to upgrade to Git 2.40.1. If you can’t update immediately, reduce your risk by taking the following steps:
On Windows, you can reduce your risk by doing the following:
In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we:
GitHub itself is not affected by these vulnerabilities. We do not use
You do not have permission to view link please Вход or Регистрация
to address a pair of security vulnerabilities,
You do not have permission to view link please Вход or Регистрация
and
You do not have permission to view link please Вход or Регистрация
, that affect versions 2.40.0 and older.Git was also patched to address additional, Windows-specific vulnerabilities:
You do not have permission to view link please Вход or Регистрация
,
You do not have permission to view link please Вход or Регистрация
, and
You do not have permission to view link please Вход or Регистрация
. The Git for Windows project released new versions including the fixes for all five of these vulnerabilities.To protect against CVE-2023-25652 and CVE-2023-29007, users are encouraged to upgrade immediately. The former may be used to perform controlled content writes at arbitrary paths with
git apply --reject
. The latter may be used to inject arbitrary configuration settings, which may in turn be used to achieve arbitrary code execution.The Windows-specific issues affect users on multi-user machines, users working in Git CMD, and users leveraging the SOCKS5 proxy
connect.exe
that is included in the Git for Windows distribution. Users fitting any of these descriptions are also encouraged to upgrade immediately.CVE-2023-25652
When applying patches with
git apply
, Git rejects inputs that attempt to write a file beyond a symbolic link. In Git 2.39.1, this mechanism was updated to reject patches which themselves created symbolic links and attempted to write beyond them.However, this fix was incomplete: when using
git apply --reject
to write out rejected hunks from the patch as *.rej
files, specially crafted malicious patches can perform controlled content writes at arbitrary locations.[
You do not have permission to view link please Вход or Регистрация
]CVE-2023-29007
Git’s implementation used to rename or delete sections of a configuration file contained a logic error that resulted in improperly treating configuration values longer than a fixed length as containing new sections.
This can result in arbitrary configuration injection into a user’s
$GIT_DIR/config
when attempting to rename or remove a malicious configuration section. This may be used to achieve arbitrary code execution, via configuration values that specify executables, such as core.pager
, core.editor
, core.sshCommand
, and so on.This vulnerability may be exploited by using overly-long submodule URLs, which are stored in a user’s
$GIT_DIR/config
upon initialization. Those URLs may be misinterpreted as containing new configuration material when removing those sections, for example, with git submodule deinit
.[
You do not have permission to view link please Вход or Регистрация
]CVE-2023-25815
A recent change in one of the packages shipped with Git for Windows caused the
gettext()
function to use the hard-coded path C:\mingw64\share\locale
when looking for localization messages instead of respecting the runtime prefix.Using obscure message formatting features, this allows out-of-bound memory writes, which can be used to cause crashes.
This vulnerability affects users working on Windows machines to which other, untrusted parties have write access. Typically, all authenticated users have permission to create folders in
C:\
, allowing for malicious actors to inject incorrect messages into git.exe
.[
You do not have permission to view link please Вход or Регистрация
]CVE-2023-29011
A similar vulnerability (as above) exists in Git for Windows’s
connect.exe
executable, which is responsible for implementing a SOCKS5 proxy.The location of connect.exe’s configuration file is hard-coded to a path that is typically interpreted as
C:\etc\connectrc
, which is susceptible in a similar fashion as above. Users on multi-account Windows machines are highly advised to exercise caution if they use this SOCKS5 proxy on those machines.[
You do not have permission to view link please Вход or Регистрация
]CVE-2023-29012
Lastly, Git for Windows’s “Git CMD” program incorrectly searches for a program called
doskey.exe
beginning in the working directory of Git CMD on startup. When started in untrusted directories, this can lead to silent arbitrary code execution.This vulnerability is similar to the one that led to Git CMD being deprecated temporarily in Git for Windows v2.19.2, but is contained to the directory in which Git CMD is started.
[
You do not have permission to view link please Вход or Регистрация
]Upgrade to the latest Git version
The most effective way to protect against these vulnerabilities is to upgrade to Git 2.40.1. If you can’t update immediately, reduce your risk by taking the following steps:
- Avoid using
git apply --reject
when working with patches from untrusted sources. Usegit apply --stat
to inspect a patch before applying it. - Avoid running
git submodule deinit
,git config --rename-section
, andgit config --remove-section
on untrusted repositories or without prior inspection of your$GIT_DIR/config
.
On Windows, you can reduce your risk by doing the following:
- Avoid using Git for Windows on machines with shared accounts. Otherwise, create empty
C:\mingw64
andC:\etc
folders, and remove any write permission on them. - Avoid using Git CMD, or if doing so is impossible, ensure it is started from a trusted directory.
In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we:
- Scheduled a GitHub Desktop release for tomorrow, April 26, 2023, that prevents the exploitation of this vulnerability.
- Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git.
GitHub itself is not affected by these vulnerabilities. We do not use
git apply --reject
, nor Git’s configuration mechanism. GitHub does not use Git for Windows, and is thus not affected by those vulnerabilities, either.
You do not have permission to view link please Вход or Регистрация
was found by RyotaK, and
You do not have permission to view link please Вход or Регистрация
was found by André Baptista and Vítor Pinho of
You do not have permission to view link please Вход or Регистрация
. The fixes for CVE-2023-25652 were developed by Johannes Schindelin, Taylor Blau, and Junio C Hamano, with help from Linus Torvalds. The fixes for CVE-2023-29007 were developed by Taylor Blau, Jeff King, Patrick Steinhardt, and Johannes Schindelin.
You do not have permission to view link please Вход or Регистрация
was discovered by Maxime Escourbiac and Cousky. Both
You do not have permission to view link please Вход or Регистрация
and
You do not have permission to view link please Вход or Регистрация
were discovered by ycdxsb. Fixes for all three of these vulnerabilities were developed by Johannes Schindelin.