Allele Security Alert
ASA-2019-00665
Identifier(s)
ASA-2019-00665, CVE-2019-1352
Title
Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6
Git versions with the following commit:
path: safeguard .git against NTFS Alternate Streams Accesses
https://git.kernel.org/pub/scm/git/git.git/commit/?id=7c3745fc6185495d5765628b4dfe1bd2c25a2981
Proof of concept
Unknown
Description
Git was unaware of NTFS Alternate Data Streams, allowing files inside the .git/ directory to be overwritten during a clone.
Technical details
Unknown
Credits
Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
path: safeguard .git against NTFS Alternate Streams Accesses
https://git.kernel.org/pub/scm/git/git.git/commit/?id=7c3745fc6185495d5765628b4dfe1bd2c25a2981
path: safeguard .git against NTFS Alternate Streams Accesses
https://github.com/git/git/commit/7c3745fc6185495d5765628b4dfe1bd2c25a2981
[MS-FSCC]: NTFS Streams
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice
CVE-2019-1352 | Git for Visual Studio Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1352
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt
Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt
Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt
Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt
Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt
Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt
CVE-2019-1352
https://security.archlinux.org/CVE-2019-1352
CVE-2019-1352 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1352
CVE-2019-1352
https://security-tracker.debian.org/tracker/CVE-2019-1352
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1352.html
CVE-2019-1352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352
CVE-2019-1352
https://nvd.nist.gov/vuln/detail/CVE-2019-1352
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 12, 2019