Security vulnerabilities in the version control system 'Git', what should be done by Git for Windows users and multi-user environment users?

It has been pointed out that there is a security vulnerability in '

Git ', a distributed version control system for recording and tracking change history of program source code. The latest version of Git 2.35.2 has already been released to address this vulnerability, and Git upgrades are recommended for Git for Windows users and users using Git in a multi-user environment. ..

Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account · Advisory · git-for-windows / git · GitHub

Git security vulnerability announced | The GitHub Blog

One of the vulnerabilities in question is ' CVE-2022-24765 ', which allows a malicious attacker to create a '.git directory' in a shared space on the working directory. For example, if an attacker puts a file called 'config' in a directory called 'C: \ .git', it would be possible to have all Git command calls that occur outside the repository read that setting. Some configuration variables, such as 'core.fsmonitor', allow Git to execute arbitrary commands, so it is possible to exploit the vulnerability to execute arbitrary commands.

GitHub, the most prominent service that uses Git, is not affected by this vulnerability. However, Git for Windows users and users using Git in a multi-user environment will be affected, so it is recommended to upgrade Git to the latest version, Git 2.35.2. Git 2.35.2 addresses the vulnerability by changing the behavior of Git when looking for a top-level directory that stops when directory traversal changes ownership from the current user, with an exception to this behavior. There is also a new multi-value ' ' for.

It also shows you the most effective ways to mitigate risk for users who can't upgrade Git right away. The method is as follows.

-Define the environment variable '

GIT_CEILING_DIRECTORIES ' to include the parent directory of the user profile ('/ Users' for macOS, '/ home' for Linux, 'C: \ Users' for Windows)
· Don't run Git in a multi-user environment if your working directory isn't in a trusted repository

Also, tools such as Git Bash, posh-git, and Visual Studio's Git for Windows have been pointed out to be careful about running Git commands internally, and in multi-user environments use these tools until you upgrade to the latest version. It is recommended to avoid.

Another problematic vulnerability is ' CVE-2022-24767 ', which affects the uninstaller of Git for Windows running in the user's temporary directory. The uninstaller of Git for Windows is executed after being copied to a temporary folder, but since this temporary folder is writable by anyone by default, by placing a malicious file here, when the uninstaller is executed It may read a malicious file.

The most effective way to protect your machine from this vulnerability is to upgrade Git for Windows to version 2.35.2 . If you cannot upgrade immediately, we recommend that you mitigate your risk in the following ways:

· Don't run the Git for Windows uninstaller until you upgrade
-Changed user account permissions so that only users can write
-Delete unknown files before running the uninstaller
-Run the uninstaller as an administrator account, not as a user account

in Software,   Security, Posted by logu_ii