Five Git vulnerabilities, with one critical and two classified as dangerous

Published corrective releases of the distributed source control system Git 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 and 2.39.4, which fix five vulnerabilities. Most serious vulnerability (CVE-2024-32002), which is assigned a critical level of danger, allows you to execute an attacker's code when cloning a repository controlled by the attacker using the “git clone” command.

The vulnerability only occurs on file systems that are case-insensitive and support symbolic links, such as those used by default in Windows and macOS. Operation is carried out by creating a directory and a symbolic link in the submodule, differing only in the case of characters, which allows you to write files to the .git/ directory, instead of the working directory of the submodule. By gaining the ability to write to .git/, an attacker can override hook calls via .git/hooks and cause arbitrary code to be executed during a “git clone” operation.


Other vulnerabilities:

  • CVE-2024-32004 – an attacker in a multi-user system can prepare a specially designed local repository and achieve code execution when it is cloned. In particular, an attacker could create a local repository that appears to be a partial clone that is missing a specific object. Cloning this repository will cause code to be executed with the rights of the user performing the cloning operation.
  • CVE-2024-32465 – cloning from zip archives containing a complete git repository, including hooks in the .git/ directory, will cause those hooks to be executed.
  • CVE-2024-32020 – creating local clones of the repository on the same disk in a multi-user system allows other users to change files for which hard links are involved.
  • CVE-2024-32021 – cloning a local repository with symbolic links, can be used to create hard links to arbitrary files in the objects/ directory.

In addition to fixing the vulnerabilities, the new versions also introduce several changes aimed at improving protection against vulnerabilities that lead to remote code execution and manipulation of symbolic links when performing cloning. For example, git now issues a warning when there are symlinks in the .git/ directory. Paths to submodules can now only contain real directories. When symbolic links and directories intersect, the directories are processed. When executing “git clone”, protection has been added against executing hooks during cloning and checks for the core.hooksPath parameter have been strengthened.

Thanks for reading: