ASA-2019-00663 – Git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone


Allele Security Alert

ASA-2019-00663

Identifier(s)

ASA-2019-00663, CVE-2019-1350

Title

Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone

Vendor(s)

the Git project

Product(s)

Git

Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

mingw: fix quoting of arguments
https://git.kernel.org/pub/scm/git/git.git/commit/?id=6d8684161ee9c03bed5cb69ae76dfdddb85a0003

Proof of concept

Unknown

Description

Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs.

Technical details

Unknown

Credits

Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)

Reference(s)

[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905

mingw: fix quoting of arguments
https://github.com/git/git/commit/6d8684161ee9c03bed5cb69ae76dfdddb85a0003

mingw: fix quoting of arguments
https://git.kernel.org/pub/scm/git/git.git/commit/?id=6d8684161ee9c03bed5cb69ae76dfdddb85a0003

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice

CVE-2019-1350 | Git for Visual Studio Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1350

Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt

Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt

Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt

Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt

Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt

Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt

Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt

Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt

Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt

Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt

Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt

CVE-2019-1350
https://security.archlinux.org/CVE-2019-1350

CVE-2019-1350 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1350

CVE-2019-1350
https://security-tracker.debian.org/tracker/CVE-2019-1350

CVE-2019-1350 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1350.html

CVE-2019-1350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350

CVE-2019-1350
https://nvd.nist.gov/vuln/detail/CVE-2019-1350

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.