Allele Security Alert
ASA-2019-00666
Identifier(s)
ASA-2019-00666, CVE-2019-1353
Title
NTFS protections inactive when running Git in the Windows Subsystem for Linux
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6
Git versions with the following commit:
protect_ntfs: turn on NTFS protection by default
https://git.kernel.org/pub/scm/git/git.git/commit/?id=9102f958ee5254b10c0be72672aa3305bf4f4704
Proof of concept
Unknown
Description
When running Git in the Windows Subsystem for Linux (also known as “WSL”) while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
Technical details
Unknown
Credits
Nicolas Joly (Microsoft Corporation)
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
protect_ntfs: turn on NTFS protection by default
https://git.kernel.org/pub/scm/git/git.git/commit/?id=9102f958ee5254b10c0be72672aa3305bf4f4704
protect_ntfs: turn on NTFS protection by default
https://github.com/git/git/commit/9102f958ee5254b10c0be72672aa3305bf4f4704
read-cache: optionally disallow NTFS .git variants
https://git.kernel.org/pub/scm/git/git.git/commit/?id=2b4c6efc82119ba8f4169717473d95d1a89e4c69
read-cache: optionally disallow NTFS .git variants
https://github.com/git/git/commit/2b4c6efc82119ba8f4169717473d95d1a89e4c69
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt
Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt
Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt
Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt
Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt
Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt
CVE-2019-1353
https://security.archlinux.org/CVE-2019-1353
CVE-2019-1353 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1353
CVE-2019-1353
https://security-tracker.debian.org/tracker/CVE-2019-1353
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1353.html
CVE-2019-1353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353
CVE-2019-1353
https://nvd.nist.gov/vuln/detail/CVE-2019-1353
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 13, 2019