If you use Git, it’s time to update it. Like, now.
The latest version of the popular source management software addresses two frightening bugs, which could see an attacker execute their own arbitrary code on a victim’s computer, should the latter clone a malicious repository.
The first bug has a CVE number of CVE-2018-11235, and was reported by security researcher Etienne Stalmans. This exploits a flaw in Git where sub-module names provided by the .gitmodule file are improperly validated when appended to $GIT_DIR/Modules.
This leaves it open to a pretty standard directory hopping attack. Including “../” in a name could allow an attacker to traverse the file system, and execute post-checkout hooks.
Hooks, for the uninitiated, are small programs that are executed at specified points when using Git. They essentially allow the user to automate certain tasks, and integrate it within their source-management workflow.
The second vulnerability, CVE-2018-11233, pertains to how Git processes pathnames on NTFS-based systems (Windows, basically). Exploiting this could allow an attacker to read the contents of memory.
This vulnerability affects users across all platforms, but mercifully has been fixed as of Git version 2.13.7. The Git developers have also forward-ported it to 2.14.4, 2.15.2, and 2.16.4.
Microsoft is strongly urging users to update to the latest version of Git for Windows. It’s also proactively blocking the malicious repos from being pushed to Visual Studio Team Services users, and has promised to issue a hotfix for Visual Studio 2017.
Meanwhile, Debian has been updated to include the new fix. If you use the popular Linux distro as your daily driver, you should update it now.