Skip to content

Latest commit

 

History

History
111 lines (68 loc) · 3.6 KB

README.md

File metadata and controls

111 lines (68 loc) · 3.6 KB
Raw

GIT Vulnerability Fixes/Issues and Other Related Information - [git clone --recursive] vulnerability

What is the Problem with git?

When a git repository contains a submodule within it, it's structure is stored alongside it's parents within the .git folder. This structure is normally stored in a folder with the same name as the submodule, but this name is actually able to be configured by the file in the parent repository. This Vulnerability affects versions of git that allow that folder name to contain a path that is not inside the .git directory. Attackers create a parent repository that has another git repository checked in and it can be added inside that parent directory. Then the repository that is checked in can be added as a submodule of the parent repository, this submodule's actual location can be set outside of the .git folder, yet still pointing to the checked in repository of the parent. When you decide to git clone (recursively) the parent repository, this submodule specified location in the .git file will then be followed and executed, along with any malicious hooks added into it.

Company Responses?

Code sharing/storing companies such as Github and Gitlab are currently making efforts to block any repository trying to set up a git submodule outside of the .git directory and overall other hosting providers are stepping forward to block these repositories as well. Visual Studio Services is also currently making efforts to block malicious repositories as well!

But still, you cannot assume you are safe with your current version of git.

How do I tell if I am a vulnerable user?

1. Create a temporary directory (mkdir test)
2. Run this code from a temporary directory
    ```
    git init test && \
      cd test && \
      git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules
    ```

    Note: this will not clone any repositories, nor will it hurt your current version of git
3. If you see: the output below you are not vulnerable, and you can stop here
```
error: Invalid path '.gitmodules'
fatal: git update-index: --cacheinfo cannot add .gitmodules
```
4. If you see: nothing [YOU ARE VULNERABLE] and should update to the latest version of git

How do I upgrade to the latest version of git:

-Windows-

Windows is quite easy to upgrade. Simply grab the newest version of Git for Windows (version 2.17.1) from https://gitforwindows.org/.

-MacOS-

Apple ships Git with Xcode but unfortunately, they do not update it regularly, even for security vulnerabilities. So in that case you'll need to upgrade through homebrew.

1. To install Homebrew:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
2. To install git:
brew install git
3. Update your PATH (env) with Homebrew:
echo 'export PATH="/usr/local/bin:$PATH"' >> ~/.bashrc

-Linux-

1. Make sure your distribution repository is up to date
Debian, Ubuntu:
sudo apt-get update
Red Hat, CentOS:
sudo yum update
2. Install the latest version of git:
Debian, Ubuntu:
sudo apt-get install git
Red Hat, CentOS:
sudo yum update git

How do I check my current version of git running on my machine?

git --version

If you are interested in reading the blog post by Edward Thomson explaining the Issue/Fixes in depth: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html