Impact

A recursive clone of a Git repository containing submodules would be careful not to carry over any submodule.<name>.update = !<command> setting from the .gitmodules file into the repository config, but a subsequent git submodule update would then heed it. This would allow attackers to execute arbitrary commands during a git submodule update, even commands that have been delivered as part of the clone and that might not have been inspected yet.

There is a theoretical time window between the clone and the git submodule update command during which users could inspect the .gitmodules file and catch the attack before it causes harm.

Patches

Git versions before v2.20.0 would not be affected, but existing clones that were initialized with e.g. v2.19.2 would still be vulnerable once a user upgrades to an affected version (e.g. v2.24.0) and then runs git submodule update.

The problem has been patched in the versions published on Tuesday, December 10th, 2019.

On Windows, it is recommended to upgrade to Git for Windows v2.24.1(2).

Workarounds

Avoid running git clone --recurse-submodules and git submodule update with untrusted repositories.

References

• https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
• https://git-scm.com/docs/gitmodules#Documentation/gitmodules.txt-submoduleltnamegtupdate
• Commit e904deb: submodule: reject submodule.update = !command in .gitmodules