ASA-2019-00664 – Git: Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning


Allele Security Alert

ASA-2019-00664

Identifier(s)

ASA-2019-00664, CVE-2019-1351

Title

Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning

Vendor(s)

the Git project

Product(s)

Git

Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

mingw: handle subst-ed “DOS drives”
https://git.kernel.org/pub/scm/git/git.git/commit/?id=f82a97eb9197c1e3768e72648f37ce0ca3233734

Proof of concept

Unknown

Description

While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via subst <letter>:<path>. Git mistook such paths for relative paths, allowing writing outside of the worktree while cloning.

Technical details

Unknown

Credits

Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)

Reference(s)

[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905

mingw: handle subst-ed “DOS drives”
https://git.kernel.org/pub/scm/git/git.git/commit/?id=f82a97eb9197c1e3768e72648f37ce0ca3233734

mingw: handle subst-ed “DOS drives”
https://github.com/git/git/commit/f82a97eb9197c1e3768e72648f37ce0ca3233734

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice

CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351

Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt

Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt

Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt

Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt

Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt

Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt

Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt

Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt

Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt

Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt

Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt

CVE-2019-1351
https://security.archlinux.org/CVE-2019-1351

CVE-2019-1351 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1351

CVE-2019-1351
https://security-tracker.debian.org/tracker/CVE-2019-1351

CVE-2019-1351 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1351.html

CVE-2019-1351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351

CVE-2019-1351
https://nvd.nist.gov/vuln/detail/CVE-2019-1351

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.