Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution

2 min read

Last week, the Git Project revealed a vulnerability, CVE-2018-17456, which can cause arbitrary code to be executed when a user clones a malicious repository.

The new Git v2.19.1 has been released with a fix to this vulnerability. Also, backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 have been added. Users have been advised to update their clients in order to protect themselves.

For those who have not yet updated, they can protect by simply avoiding submodules from untrusted repositories. This includes commands such as git clone –recurse-submodules and git submodule update.

The community, in their post, mentions that neither GitHub.com nor GitHub Enterprise is directly affected by the vulnerability. However, as with previously discovered vulnerabilities, GitHub.com will detect malicious repositories and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will be shipped on October 9th.

About the CVE-2018-17456 vulnerability

This vulnerability is similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the previous attack, a malicious repository would ship a .gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (-). The ssh program—spawned by Git—would then interpret that as an option. The new attack works in a similar way, except that the option-injection is against the child git clone itself.

Learning from the previous attack, the researchers have audited all of the .gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. They also implemented detection of potentially malicious submodules as part of Git’s object quality checks, which was made much easier by the infrastructure added during the last submodule-related vulnerability.

Products affected by the CVE-2018-17456 vulnerability

GitHub Desktop

GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability. All GitHub Desktop users are encouraged to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app.

Atom

Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch.

Users should ensure they have the latest Atom release by completing any of the following:

Windows: From the toolbar, click “Help” -> “Check for updates”
MacOS: From the menu bar, click “Atom” -> “Check for Update”
Linux: Update manually by downloading the latest release from atom.io

Git on the command line and other clients

In order to be protected from the vulnerability, users must update their command-line version of Git and any other application that may include an embedded version of Git, as they are independent of each other.