ASA-2019-00662 – Git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00662

Identifier(s)

ASA-2019-00662, CVE-2019-1349

Title

Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/

Vendor(s)

the Git project

Product(s)

Git

Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

clone –recurse-submodules: prevent name squatting on Windows
https://git.kernel.org/pub/scm/git/git.git/commit/?id=0060fd1511b94c918928fa3708f69a3f33895a4a

Proof of concept

Unknown

Description

When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice.

When using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to “squat” on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux.

Technical details

Unknown

Credits

Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)

Reference(s)

[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905

clone –recurse-submodules: prevent name squatting on Windows
https://git.kernel.org/pub/scm/git/git.git/commit/?id=0060fd1511b94c918928fa3708f69a3f33895a4a

clone –recurse-submodules: prevent name squatting on Windows
https://github.com/git/git/commit/0060fd1511b94c918928fa3708f69a3f33895a4a

read-cache: optionally disallow NTFS .git variants
https://git.kernel.org/pub/scm/git/git.git/commit/?id=2b4c6efc82119ba8f4169717473d95d1a89e4c69

read-cache: optionally disallow NTFS .git variants
https://github.com/git/git/commit/2b4c6efc82119ba8f4169717473d95d1a89e4c69

is_ntfs_dotgit: match other .git files
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e7cb0b4455c85b53aeba40f88ffddcf6d4002498

is_ntfs_dotgit: match other .git files
https://github.com/git/git/commit/e7cb0b4455c85b53aeba40f88ffddcf6d4002498

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice

CVE-2019-1349 | Git for Visual Studio Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349

Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt

Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt

Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt

Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt

Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt

Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt

Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt

Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt

Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt

Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt

Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt

CVE-2019-1352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352

CVE-2019-1352
https://nvd.nist.gov/vuln/detail/CVE-2019-1352

CVE-2019-1349
https://security.archlinux.org/CVE-2019-1349

CVE-2019-1349 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1349

CVE-2019-1349
https://security-tracker.debian.org/tracker/CVE-2019-1349

CVE-2019-1349 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1349.html

CVE-2019-1349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349

CVE-2019-1349
https://nvd.nist.gov/vuln/detail/CVE-2019-1349

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.