Impact
To support Services for Macintosh (and the concept of "resource forks"), NTFS introduced "Alternate Data Streams". These streams offer to store additional file content that is closely associated with the original file, and they can be accessed via <original-file-name>:<attribute-name>.
There is a default attribute name for the actual file's contents: reading README::$DATA is equivalent to reading README. Likewise, there is a default attribute name for directories: .git::$INDEX_ALLOCATION/config refers to the same file as .git/config.
In other words, there is an attack vector very similar to using NTFS short names to refer to files and directories via synonymous names (if short names are active, which they are on the system drive by default, then git~1 is the same as .git).
While the short name attacks were prevented as part of Git 1.8.5.6 and the versions that were released simultaneously with it, in affected Git versions core.protectNTFS does not protect against those NTFS Alternate Data Streams attacks.
This is an issue on Windows, where Alternate Data Streams cannot be turned off on NTFS-formatted drives, and in conjunction with CVE-2019-1353 it also affects Git on macOS when working on smb://-mounted network shares.
It appears that in the default configurations, Git on Linux is not affected, not when working on NTFS mounts or CIFS-mounted network shares, not even when running inside the Windows Subsystem for Linux and working on Windows drives directly.
Patches
The problem has been patched in the versions published on Tuesday, December 10th, 2019.
On Windows, it is recommended to upgrade to Git for Windows v2.24.1(2).
Workarounds
Avoid cloning untrusted repositories.
References
Impact
To support Services for Macintosh (and the concept of "resource forks"), NTFS introduced "Alternate Data Streams". These streams offer to store additional file content that is closely associated with the original file, and they can be accessed via
<original-file-name>:<attribute-name>.There is a default attribute name for the actual file's contents: reading
README::$DATAis equivalent to readingREADME. Likewise, there is a default attribute name for directories:.git::$INDEX_ALLOCATION/configrefers to the same file as.git/config.In other words, there is an attack vector very similar to using NTFS short names to refer to files and directories via synonymous names (if short names are active, which they are on the system drive by default, then
git~1is the same as.git).While the short name attacks were prevented as part of Git 1.8.5.6 and the versions that were released simultaneously with it, in affected Git versions
core.protectNTFSdoes not protect against those NTFS Alternate Data Streams attacks.This is an issue on Windows, where Alternate Data Streams cannot be turned off on NTFS-formatted drives, and in conjunction with CVE-2019-1353 it also affects Git on macOS when working on
smb://-mounted network shares.It appears that in the default configurations, Git on Linux is not affected, not when working on NTFS mounts or CIFS-mounted network shares, not even when running inside the Windows Subsystem for Linux and working on Windows drives directly.
Patches
The problem has been patched in the versions published on Tuesday, December 10th, 2019.
On Windows, it is recommended to upgrade to Git for Windows v2.24.1(2).
Workarounds
Avoid cloning untrusted repositories.
References
.gitagainst NTFS Alternate Streams Accesses, and commit 91bd465: path: also guard.gitmodulesagainst NTFS Alternate Data Streams