ASA-2019-00662 – Git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/

Allele Security Alert



ASA-2019-00662, CVE-2019-1349


Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/


the Git project



Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

clone –recurse-submodules: prevent name squatting on Windows

Proof of concept



When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice.

When using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to “squat” on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux.

Technical details



Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)


[ANNOUNCE] Git v2.24.1 and others

clone –recurse-submodules: prevent name squatting on Windows

clone –recurse-submodules: prevent name squatting on Windows

read-cache: optionally disallow NTFS .git variants

read-cache: optionally disallow NTFS .git variants

is_ntfs_dotgit: match other .git files

is_ntfs_dotgit: match other .git files

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes

CVE-2019-1349 | Git for Visual Studio Remote Code Execution Vulnerability

Git v2.24.1 Release Notes

Git v2.23.1 Release Notes

Git v2.22.2 Release Notes

Git v2.21.1 Release Notes

Git v2.20.2 Release Notes

Git v2.19.3 Release Notes

Git v2.18.2 Release Notes

Git v2.17.3 Release Notes

Git v2.16.6 Release Notes

Git v2.15.4 Release Notes

Git v2.14.6 Release Notes




CVE-2019-1349 - Red Hat Customer Portal


CVE-2019-1349 in Ubuntu



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.