Allele Security Alert
ASA-2019-00662
Identifier(s)
ASA-2019-00662, CVE-2019-1349
Title
Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6
Git versions with the following commit:
clone –recurse-submodules: prevent name squatting on Windows
https://git.kernel.org/pub/scm/git/git.git/commit/?id=0060fd1511b94c918928fa3708f69a3f33895a4a
Proof of concept
Unknown
Description
When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice.
When using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to “squat” on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux.
Technical details
Unknown
Credits
Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
clone –recurse-submodules: prevent name squatting on Windows
https://git.kernel.org/pub/scm/git/git.git/commit/?id=0060fd1511b94c918928fa3708f69a3f33895a4a
clone –recurse-submodules: prevent name squatting on Windows
https://github.com/git/git/commit/0060fd1511b94c918928fa3708f69a3f33895a4a
read-cache: optionally disallow NTFS .git variants
https://git.kernel.org/pub/scm/git/git.git/commit/?id=2b4c6efc82119ba8f4169717473d95d1a89e4c69
read-cache: optionally disallow NTFS .git variants
https://github.com/git/git/commit/2b4c6efc82119ba8f4169717473d95d1a89e4c69
is_ntfs_dotgit: match other .git files
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e7cb0b4455c85b53aeba40f88ffddcf6d4002498
is_ntfs_dotgit: match other .git files
https://github.com/git/git/commit/e7cb0b4455c85b53aeba40f88ffddcf6d4002498
Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice
CVE-2019-1349 | Git for Visual Studio Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt
Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt
Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt
Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt
Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt
Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt
CVE-2019-1352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352
CVE-2019-1352
https://nvd.nist.gov/vuln/detail/CVE-2019-1352
CVE-2019-1349
https://security.archlinux.org/CVE-2019-1349
CVE-2019-1349 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1349
CVE-2019-1349
https://security-tracker.debian.org/tracker/CVE-2019-1349
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1349.html
CVE-2019-1349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349
CVE-2019-1349
https://nvd.nist.gov/vuln/detail/CVE-2019-1349
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 12, 2019