Impact
A recursive clone of a Git repository containing submodules would be careful not to carry over any submodule.<name>.update = !<command>
setting from the .gitmodules
file into the repository config, but a subsequent git submodule update
would then heed it. This would allow attackers to execute arbitrary commands during a git submodule update
, even commands that have been delivered as part of the clone and that might not have been inspected yet.
There is a theoretical time window between the clone and the git submodule update
command during which users could inspect the .gitmodules
file and catch the attack before it causes harm.
Patches
Git versions before v2.20.0 would not be affected, but existing clones that were initialized with e.g. v2.19.2 would still be vulnerable once a user upgrades to an affected version (e.g. v2.24.0) and then runs git submodule update
.
The problem has been patched in the versions published on Tuesday, December 10th, 2019.
On Windows, it is recommended to upgrade to Git for Windows v2.24.1(2).
Workarounds
Avoid running git clone --recurse-submodules
and git submodule update
with untrusted repositories.
References
Impact
A recursive clone of a Git repository containing submodules would be careful not to carry over any
submodule.<name>.update = !<command>
setting from the.gitmodules
file into the repository config, but a subsequentgit submodule update
would then heed it. This would allow attackers to execute arbitrary commands during agit submodule update
, even commands that have been delivered as part of the clone and that might not have been inspected yet.There is a theoretical time window between the clone and the
git submodule update
command during which users could inspect the.gitmodules
file and catch the attack before it causes harm.Patches
Git versions before v2.20.0 would not be affected, but existing clones that were initialized with e.g. v2.19.2 would still be vulnerable once a user upgrades to an affected version (e.g. v2.24.0) and then runs
git submodule update
.The problem has been patched in the versions published on Tuesday, December 10th, 2019.
On Windows, it is recommended to upgrade to Git for Windows v2.24.1(2).
Workarounds
Avoid running
git clone --recurse-submodules
andgit submodule update
with untrusted repositories.References