Impact
A bug in the function responsible for renaming or deleting existing configuration sections in-place, git_config_copy_or_rename_section_in_file(), can result in improperly treating configuration values as the beginning of new sections when they are over 1,024 characters long.
This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to rename or remove a malicious configuration section. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor, core.sshCommand and so on.
This may be exploited with overly-long submodule URLs, which are stored in a user's $GIT_DIR/config upon initialization. Those URLs may be misinterpreted as containing new configuration material when removing those sections, e.g., with git submodule deinit.
Patches
A fix has been prepared and will appear in v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1.
Workarounds
Avoid running git submodule deinit, or git config --rename-section or git config --remove-section on untrusted repositories or without prior inspection of your $GIT_DIR/config.
Acknowledgements
Credit for finding this vulnerability goes to André Baptista and Vítor Pinho of Ethiack. The fix was developed by Taylor Blau, Jeff King, Patrick Steinhardt, and Johannes Schindelin.
Impact
A bug in the function responsible for renaming or deleting existing configuration sections in-place,
git_config_copy_or_rename_section_in_file(), can result in improperly treating configuration values as the beginning of new sections when they are over 1,024 characters long.This bug can be used to inject arbitrary configuration into a user's
$GIT_DIR/configwhen attempting to rename or remove a malicious configuration section. This can result in arbitrary execution of code, by inserting values forcore.pager,core.editor,core.sshCommandand so on.This may be exploited with overly-long submodule URLs, which are stored in a user's
$GIT_DIR/configupon initialization. Those URLs may be misinterpreted as containing new configuration material when removing those sections, e.g., withgit submodule deinit.Patches
A fix has been prepared and will appear in v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1.
Workarounds
Avoid running
git submodule deinit, orgit config --rename-sectionorgit config --remove-sectionon untrusted repositories or without prior inspection of your$GIT_DIR/config.Acknowledgements
Credit for finding this vulnerability goes to André Baptista and Vítor Pinho of Ethiack. The fix was developed by Taylor Blau, Jeff King, Patrick Steinhardt, and Johannes Schindelin.