Impact
A bug in the function responsible for renaming or deleting existing configuration sections in-place, git_config_copy_or_rename_section_in_file()
, can result in improperly treating configuration values as the beginning of new sections when they are over 1,024 characters long.
This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config
when attempting to rename or remove a malicious configuration section. This can result in arbitrary execution of code, by inserting values for core.pager
, core.editor
, core.sshCommand
and so on.
This may be exploited with overly-long submodule URLs, which are stored in a user's $GIT_DIR/config
upon initialization. Those URLs may be misinterpreted as containing new configuration material when removing those sections, e.g., with git submodule deinit
.
Patches
A fix has been prepared and will appear in v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1.
Workarounds
Avoid running git submodule deinit
, or git config --rename-section
or git config --remove-section
on untrusted repositories or without prior inspection of your $GIT_DIR/config
.
Acknowledgements
Credit for finding this vulnerability goes to André Baptista and Vítor Pinho of Ethiack. The fix was developed by Taylor Blau, Jeff King, Patrick Steinhardt, and Johannes Schindelin.
Impact
A bug in the function responsible for renaming or deleting existing configuration sections in-place,
git_config_copy_or_rename_section_in_file()
, can result in improperly treating configuration values as the beginning of new sections when they are over 1,024 characters long.This bug can be used to inject arbitrary configuration into a user's
$GIT_DIR/config
when attempting to rename or remove a malicious configuration section. This can result in arbitrary execution of code, by inserting values forcore.pager
,core.editor
,core.sshCommand
and so on.This may be exploited with overly-long submodule URLs, which are stored in a user's
$GIT_DIR/config
upon initialization. Those URLs may be misinterpreted as containing new configuration material when removing those sections, e.g., withgit submodule deinit
.Patches
A fix has been prepared and will appear in v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1.
Workarounds
Avoid running
git submodule deinit
, orgit config --rename-section
orgit config --remove-section
on untrusted repositories or without prior inspection of your$GIT_DIR/config
.Acknowledgements
Credit for finding this vulnerability goes to André Baptista and Vítor Pinho of Ethiack. The fix was developed by Taylor Blau, Jeff King, Patrick Steinhardt, and Johannes Schindelin.