Skip to content

Git mishandles the default NTFS Alternate Data Streams

High
dscho published GHSA-5wph-8frv-58vj Dec 13, 2019

Package

Git

Affected versions

<=2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, 2.19.2, 2.20.1, 2.21.0, 2.22.1, 2.23.0, 2.24.0

Patched versions

2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6

Description

Impact

To support Services for Macintosh (and the concept of "resource forks"), NTFS introduced "Alternate Data Streams". These streams offer to store additional file content that is closely associated with the original file, and they can be accessed via <original-file-name>:<attribute-name>.

There is a default attribute name for the actual file's contents: reading README::$DATA is equivalent to reading README. Likewise, there is a default attribute name for directories: .git::$INDEX_ALLOCATION/config refers to the same file as .git/config.

In other words, there is an attack vector very similar to using NTFS short names to refer to files and directories via synonymous names (if short names are active, which they are on the system drive by default, then git~1 is the same as .git).

While the short name attacks were prevented as part of Git 1.8.5.6 and the versions that were released simultaneously with it, in affected Git versions core.protectNTFS does not protect against those NTFS Alternate Data Streams attacks.

This is an issue on Windows, where Alternate Data Streams cannot be turned off on NTFS-formatted drives, and in conjunction with CVE-2019-1353 it also affects Git on macOS when working on smb://-mounted network shares.

It appears that in the default configurations, Git on Linux is not affected, not when working on NTFS mounts or CIFS-mounted network shares, not even when running inside the Windows Subsystem for Linux and working on Windows drives directly.

Patches

The problem has been patched in the versions published on Tuesday, December 10th, 2019.

On Windows, it is recommended to upgrade to Git for Windows v2.24.1(2).

Workarounds

Avoid cloning untrusted repositories.

References

Severity

High

CVE ID

CVE-2019-1352

Weaknesses

No CWEs