Impact
A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause Git to overwrite arbitrary files when checking out a repository using Git on Cygwin. In particular, this would allow an attacker to execute arbitrary code as soon as the repository is checked out.
Patches
The problem is patched in the Cygwin Git v2.31.1-2 release.
At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability: https://github.com/cygporter/git/blob/v2.31.1-2/check-backslash-safety.patch
Workarounds
You should not clone or pull from repositories from untrusted sources.
References
For more information
If you have any questions or comments about this advisory:
- For public questions specifically relating to Git on Cygwin, contact the Cygwin mailing list (details at http://cygwin.com/ml)
- For public questions relating to Git in general, contact the Git mailing list (details at https://git-scm.com/community)
- To disclose further vulnerabilities privately, contact the Git-security list by emailing [email protected]
Credit
I'd like to thank @Ry0taK for finding and reporting this vulnerability, and @dscho for advice with handling it.
Ry0taK Analyst
Impact
A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause Git to overwrite arbitrary files when checking out a repository using Git on Cygwin. In particular, this would allow an attacker to execute arbitrary code as soon as the repository is checked out.
Patches
The problem is patched in the Cygwin Git v2.31.1-2 release.
At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability: https://github.com/cygporter/git/blob/v2.31.1-2/check-backslash-safety.patch
Workarounds
You should not clone or pull from repositories from untrusted sources.
References
For more information
If you have any questions or comments about this advisory:
Credit
I'd like to thank @Ry0taK for finding and reporting this vulnerability, and @dscho for advice with handling it.