File Photo
A severe vulnerability has been patched in Git software source code to prevent remote code execution attacks being launched at users.
The bug, which is industry-wide, was disclosed on Tuesday[1].
Git[2], originally created for Linux kernel development, is open-source software that developers worldwide utilize to manage source code repositories, tarballs, and to track changes in files.
The software is an example of a Distributed Version Control System (DVCS) and is used by companies large and small, including Microsoft, Google, Facebook, Gnome, and PostgreSQL.
The vulnerability, CVE 2018-11235[3], occurs due to the management of remote repository definitions and data.
Remote repositories may contain definitions for submodules -- and data -- which are contained and checked in to the parent repository as a folder. When this repository is cloned, Git checks the parent system before preparing to clone related submodules.
As the submodule's repository already exists on disk, full cloning is skipped and the software will only check the on-disk version.
When you use Git to clone a repository, some configuration elements are also intentionally left out to prevent remote servers from fetching and executing code on remote systems. Some of the configurations left out including the content of the .git/config file and hook scripts.
The vulnerability, however, allows exactly this to happen.
Edward Thomson, program manager for Visual Studio Team Services (VSTS) at Microsoft explained in a blog post[4] that "since the submodule's repository is checked in to the parent repository, it's never actually cloned."
"The submodule repository can therefore actually have a hook already configured," Thomson explained. "If when you recursively cloned (and this repository does have to be cloned with -- recursive for this