git update eliminates five partially critical vulnerabilities in the clients

With version 2.45.1, git eliminates five security vulnerabilities in the clients and introduces far-reaching protection mechanisms. All operating systems are at risk: Windows, macOS, Linux distributions or BSDs. The vulnerabilities concern the cloning of repositories; one is classified as critical and two as high. Consequently, the git team advises to update immediately and, "if you cannot update immediately, please be careful where you clone repositories from."

Following a number of recent attacks on repository services, git is now releasing a security update that does not affect the service, but the clients. Users should update both the standalone programs and the plugins in the development environments. Visual Studio updates automatically, while users of VS Code have to install the new git version in the terminal themselves:

git update-git-for-windows

The fixed vulnerabilities in detail:

• CVE-2024-32002 (critical; Windows and macOS): Malicious repos with submodules can use git clients to store data in the .git/ folder instead of the associated working directory during cloning. This is achieved via manipulated symbolic links. The attacker can execute hooks (automatically starting scripts) there while git is running.
• CVE-2024-32004 (high; multi-user computer): An attacker can model a local repository as a supposedly partial clone without an object, which can execute arbitrary code with the cloner's rights during cloning.
• CVE-2024-32465 (high; all configurations): Cloning repos from zip files bypasses protections, allowing attackers to inject insecure hooks.
• CVE-2024-32020 (low; multi-user machines): Untrusted users can modify hard links in the object database of the cloned repo on the same disk.
• CVE-2024-32021 (low; multi-user machine): Attackers can abuse git to create hard links in the objects/ directory when cloning a local repo with symbolic links. The attackers then write files beyond git to the file system.

New security concept: Defense-in-Depth

In addition to fixing specific vulnerabilities, git is introducing new security mechanisms to counter threats such as those described. Better handling of symbolic links during cloning should prevent git from writing files in the wrong place. Hooks are now checked more closely to stop unauthorized code. The hook configuration of the git template directory is now protected against accidental or malicious changes. In addition, git now warns against symbolic links to the .git/ directory. Particularly suspicious users can pretend that git treats these warnings as errors.

Another note from the git team: The new defense-in-depth protection causes an error when cloning large file storage repos. The git lfs pull switch in the new clone provides a remedy.

(who)