Allele Security Alert
ASA-2019-00664
Identifier(s)
ASA-2019-00664, CVE-2019-1351
Title
Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6
Git versions with the following commit:
mingw: handle subst-ed “DOS drives”
https://git.kernel.org/pub/scm/git/git.git/commit/?id=f82a97eb9197c1e3768e72648f37ce0ca3233734
Proof of concept
Unknown
Description
While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via subst <letter>:<path>. Git mistook such paths for relative paths, allowing writing outside of the worktree while cloning.
Technical details
Unknown
Credits
Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
mingw: handle subst-ed “DOS drives”
https://git.kernel.org/pub/scm/git/git.git/commit/?id=f82a97eb9197c1e3768e72648f37ce0ca3233734
mingw: handle subst-ed “DOS drives”
https://github.com/git/git/commit/f82a97eb9197c1e3768e72648f37ce0ca3233734
Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice
CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt
Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt
Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt
Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt
Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt
Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt
CVE-2019-1351
https://security.archlinux.org/CVE-2019-1351
CVE-2019-1351 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1351
CVE-2019-1351
https://security-tracker.debian.org/tracker/CVE-2019-1351
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1351.html
CVE-2019-1351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351
CVE-2019-1351
https://nvd.nist.gov/vuln/detail/CVE-2019-1351
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 12, 2019