Code execution bug in malicious repositories resolved by Git Project

The critical vulnerability can lead to the execution of code on a vulnerable system.

How GitHub became the de facto automated supply chain for software

The Git Project has disclosed the existence of a severe vulnerability which can lead to the execution of arbitrary code.

The vulnerability, CVE-2018-17456, was disclosed on Friday.

The option-injection attack can be used to compromise the software's submodules. Malicious repositories which are cloned and use a .gitmodules file with a URL field beginning with a '-' character can be used to execute code at the time of processing.

CVE-2018-17456 is similar to CVE-2017-1000117, another option-injection attack which related to the handling of "ssh" URLs in Git software. The latter issue could be used to execute shell commands with the privileges of the user running the Git client when performing a clone action on a malicious repository.

"The command-line git clone tool does not correctly sanitize submodule URLs," the latest vulnerability description reads. "When cloning submodules, for example using git clone --recurse-submodules or git submodule update, the URL of a submodule could be interpreted as a command-line argument to git clone."

The problem was reported on September 23 by security researcher @joernchen.

CNET: Fake news on Twitter is still reaching millions, study finds

The latest version of the software, Git v2.19.1, has been released with a patch designed to resolve the security flaw.

In addition, the Git Project has released backports for versions v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 to eradicate the severe bug in older software.

TechRepublic: How 85% of mobile apps violate security standards

GitHub Desktop users of software versions 1.4.1 and older are also impacted and are asked to update to either 1.4.2 or 1.4.3-beta0, which are now available in the Desktop application.

Atom is also impacted due to older, embedded forms of Git and both the 1.31.2 and 1.32.0-beta3 releases include a fix.

However, nor GitHub Enterprise are not affected.

"As with previously discovered vulnerabilities, will detect malicious repositories, and will reject pushes or API requests attempting to create them," The Git Project says. "Versions of GitHub Enterprise with this detection will ship on October 9th."

See also: Git repository vulnerability leads to remote code execution attacks

Users of the software are encouraged to update their builds as quickly as possible, as well as avoid interacting with submodules from repositories they do not trust.

The Git Project says there are no indications of attacks using the vulnerability in the wild.

In May, a severe remote code execution flaw in Git software source code was patched. The bug, CVE 2018-11235, occurred due to mismanagement of remote repository definitions and data.

Previous and related coverage