With version 2.45.1, git eliminates five security vulnerabilities in the clients and introduces in-depth protection mechanisms. All operating systems are at risk: Windows, macOS, Linux distributions or BSDs. The gaps concern cloning of repositories; one is classified as critical, two as high. As a result, the git team advises updating immediately and, “if you cannot update immediately, please be careful where you clone repositories from.”
Advertisement
After lately a series of attacks on repository services became known, published git now a security update, which does not affect the service, but the clients. Users should update both the standalone programs and the plugins in the development environments. Visual Studio updates automatically, while VS Code users have to install the new git version in the terminal themselves:
git update-git-for-windows
The fixed vulnerabilities in detail:
- CVE-2024-32002 (Critical; Windows and macOS): Malicious repos with submodules can use git clients to dump data into the .git/ folder instead of the associated working directory when cloning. This is achieved via manipulated symbolic links. The attacker can there Hooks (automatically starting scripts) run while git is running.
- CVE-2024-32004 (High; Multiuser): An attacker can model a local repository as a supposedly partial clone without an object, which, when cloned, can execute arbitrary code on the cloner with their privileges.
- CVE-2024-32465 (high; all configurations): Cloning repos from zip files bypasses protection measures, allowing attackers to inject insecure hooks.
- CVE-2024-32020 (Low; Multiuser Machine): Untrusted users can modify hardlinks in the object database of the cloned repo on the same disk.
- CVE-2024-32021 (Low; Multiuser): When cloning a local repo with symbolic links, attackers can abuse git to create hardlinks in the objects/ directory. The attackers use this to write files into the file system beyond git.
VS Code users should update git quickly by hand in the terminal.
(Image: iX)
New security concept: Defense-in-Depth
In addition to fixing specific vulnerabilities, git introduces new security mechanisms to counter threats like those described. Better handling of symbolic links when cloning should prevent git from writing files in the wrong place. Hooks are now more closely scrutinized to stop unauthorized code. The git template directory hook configuration is now protected from accidental or malicious changes. Additionally, git now warns about symbolic links to the .git/ directory. Particularly suspicious users can pretend that git treats these warnings as errors.
Another note from the git team: The new defense-in-depth protection causes an error when cloning large file storage repos. The switch helps git lfs pull in the new clone.
(who)