Tech Support
Documentation
Login
Contact Us
Exploring Git Vulnerabilities: Latest Fixes and Updates
Rohan Timalsina
June 12, 2024 - TuxCare expert team
Multiple security issues were found in Git, a popular distributed version control system. The Ubuntu security team has proactively addressed Git vulnerabilities by releasing updates for various versions of the Ubuntu operating system, including Ubuntu 24.04 LTS, Ubuntu 23.10, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS.
Git Vulnerabilities Fixed in Ubuntu Updates
Security flaws were discovered in Git versions before 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. They have been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32002 (CVSS v3 Score: 9.0 Critical)
A vulnerability was found in Git that affects repositories using submodules. Attackers could trick Git into placing malicious code in a critical location during the cloning process. This allows an attacker to execute a hook during the clone operation without user knowledge. Disabling symbolic link support in Git (using git config –global core.symlinks false) can also prevent this attack.
CVE-2024-32004
This vulnerability could allow an attacker to create a local repository in a way that executes arbitrary code when it is cloned. Attackers could exploit this to execute unauthorized actions on your system.
CVE-2024-32020
Another Git vulnerability involves the incorrect handling of local clones with hardlinked files/directories. It was found that local clones could hardlink files into the target repository’s object database if both source and target repositories were on the same disk. If a different user owned the source repository, the untrusted user could rewrite those hardlinked files at any time. Cloning local repositories typically involves copying or hardlinking files from the source to the target repository, which speeds up the process and saves disk space and compute time. However, cloning from a repository on the same disk owned by another user could result in creating hardlinks controlled by the untrusted user, allowing them to modify the files later.
CVE-2024-32021
Cloning a local source repository containing symlinks via the filesystem could cause Git to create hardlinks to arbitrary user-readable files in the target repository’s `objects/` directory. When cloning locally (without specifying the `file://` protocol or using `–no-local`), Git optimizes the process by attempting to hardlink object files instead of copying them. Despite checks against symlinks in the source repository, added to address CVE-2022-39253, these checks can be bypassed if the hardlink operation follows symlinks. If an object appears as a file during the check but as a symlink during the operation, an attacker can create hardlinks in the destination `objects/` directory to arbitrary user-readable files.
CVE-2024-32465
This issue is addressed in CVE-2024-32004. However, the fixes for CVE-2024-32004 may not cover all scenarios, such as when obtaining a .zip file containing a full Git repository, which might include hooks configured to run within that context. Similar to the previous cloned repository vulnerability, this flaw could allow attackers to execute arbitrary code.
Mitigation Measures
To safeguard your systems against these vulnerabilities, it is crucial to upgrade your Git packages. Generally, performing a standard system update will implement all the essential security patches. Users running Ubuntu 24.04 LTS, Ubuntu 23.10, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS should ensure their systems are updated to benefit from these fixes.
Users and organizations still relying on end-of-life Ubuntu systems can utilize TuxCare’s Extended Lifecycle Support (ELS) for Ubuntu 16.04 and Ubuntu 18.04. This extended support provides all the critical security updates for up to an additional five years after the EOL date.
Conclusion
The discovery of these Git vulnerabilities highlights the importance of regular system updates and vigilance in software security. By keeping your Git packages and systems up to date, you can protect your development environment from potential exploits and maintain the integrity and security of your code repositories. The Git project recommends avoiding working directly in untrusted repositories and suggests using git clone --no-local to obtain a clean copy.
Source: USN-6793-1
