Impact
Every Git submodule has a URL, a path, and a name. The name does not change even if the submodule's path changes. These triplets are defined via the .gitmodules file.
The submodule name is used to construct the path of the "gitdir" inside the super-project's gitdir. Example: the gitdir of a submodule with the name lib/common will be .git/modules/lib/common.
Affected Git versions allow submodules' names to be nested. This allows attackers to craft submodules where the gitdir is redirected to a directory that is part of the recursive checkout.
The only known remote code execution exploit allows only for very targeted attacks, as user.name/user.email of the target have to be known, as well as the rough time window when the repositories will be cloned recursively, and the web server from which at least one of the submodules is cloned has to be under the control of the attacker.
As this exploit requires colons to be valid file name characters, this vulnerability appears to affect only non-Windows platforms.
Patches
The problem has been patched in the versions published on Tuesday, December 10th, 2019.
Workarounds
Avoid running git clone --recurse-submodules and git submodule update with untrusted repositories.
References
Impact
Every Git submodule has a URL, a path, and a name. The name does not change even if the submodule's path changes. These triplets are defined via the
.gitmodulesfile.The submodule name is used to construct the path of the "gitdir" inside the super-project's gitdir. Example: the gitdir of a submodule with the name
lib/commonwill be.git/modules/lib/common.Affected Git versions allow submodules' names to be nested. This allows attackers to craft submodules where the gitdir is redirected to a directory that is part of the recursive checkout.
The only known remote code execution exploit allows only for very targeted attacks, as
user.name/user.emailof the target have to be known, as well as the rough time window when the repositories will be cloned recursively, and the web server from which at least one of the submodules is cloned has to be under the control of the attacker.As this exploit requires colons to be valid file name characters, this vulnerability appears to affect only non-Windows platforms.
Patches
The problem has been patched in the versions published on Tuesday, December 10th, 2019.
Workarounds
Avoid running
git clone --recurse-submodulesandgit submodule updatewith untrusted repositories.References