Impact
Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.
Patches
A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8.
Workarounds
The most complete workaround is upgrading to the most recent patched version published.
If doing so is impractical, then there are a couple of short-term workarounds.
- Avoid cloning repositories from untrusted sources with
--recurse-submodules
.
- Instead, consider cloning repositories without recursively cloning their submodules, and instead run
git submodule update
at each layer. Before doing so, inspect each new .gitmodules
file to ensure that it does not contain suspicious module URLs.
Credits
Credit for finding the vulnerability goes to yvvdwf.
Impact
Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source
$GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), theobjects
directory itself may still be a symbolic link.These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.
Patches
A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8.
Workarounds
The most complete workaround is upgrading to the most recent patched version published.
If doing so is impractical, then there are a couple of short-term workarounds.
--recurse-submodules
.git submodule update
at each layer. Before doing so, inspect each new.gitmodules
file to ensure that it does not contain suspicious module URLs.Credits
Credit for finding the vulnerability goes to yvvdwf.