Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on May 30, 2018

Malicious Git repos could see an attacker remotely execute code on your system

If you use Git, it's time to update it. Like, now.


Malicious Git repos could see an attacker remotely execute code on your system

If you use Git, it’s time to update it. Like, now.

The latest version of the popular source management software addresses two frightening bugs, which could see an attacker execute their own arbitrary code on a victim’s computer, should the latter clone a malicious repository.

The first bug has a CVE number of CVE-2018-11235, and was reported by security researcher Etienne Stalmans. This exploits a flaw in Git where sub-module names provided by the .gitmodule file are improperly validated when appended to $GIT_DIR/Modules.

This leaves it open to a pretty standard directory hopping attack. Including “../” in a name could allow an attacker to traverse the file system, and execute post-checkout hooks.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Hooks, for the uninitiated, are small programs that are executed at specified points when using Git. They essentially allow the user to automate certain tasks, and integrate it within their source-management workflow.

The second vulnerability, CVE-2018-11233, pertains to how Git processes pathnames on NTFS-based systems (Windows, basically). Exploiting this could allow an attacker to read the contents of memory.

This vulnerability affects users across all platforms, but mercifully has been fixed as of Git version 2.13.7. The Git developers have also forward-ported it to 2.14.4, 2.15.2, and 2.16.4.

Microsoft is strongly urging users to update to the latest version of Git for Windows. It’s also proactively blocking the malicious repos from being pushed to Visual Studio Team Services users, and has promised to issue a hotfix for Visual Studio 2017.

Meanwhile, Debian has been updated to include the new fix. If you use the popular Linux distro as your daily driver, you should update it now.

Get the TNW newsletter

Get the most important tech news in your inbox each week.