Git Releases New Version and Patches Security Vulnerabilities

TapTechNews May 31st reported that the Git distributed version control system has released a new version and urgently patched 5 security vulnerabilities. Among the most critical vulnerability tracking number CVE-2024-32002, it can execute code remotely during the clone operation.

TapTechNews note: Git is a distributed version control software, originally created by Linus Torvalds and released in 2005 under the GPL license. Its initial purpose was designed to better manage the development of the Linux kernel.

The CVE-2024-32002 vulnerability is very destructive. By creating a special Git repository submodule, hackers can trick Git into writing files into the.git/ directory instead of the submodule's working tree.

In this way, attackers can plant malicious hook scripts that will be executed while the cloning operation is still ongoing, and users can hardly check the code about to be executed in advance.

This is mainly because the Git file system supports symbolic links (symlinks) and is not case-sensitive, and it is vulnerable to case confusion during recursive cloning. An unauthenticated remote attacker exploits this vulnerability to cause the victim to execute the just-cloned code during the cloning operation, resulting in remote code execution.

The official security bulletin pointed out that disabling the support of symbolic links in Git (for example, through git config --global core.symlinks false) can prevent this attack.

These vulnerabilities have been patched in Git v2.45.1, v2.44.1, v2.43.4, v2.42.2, v2.41.1, v2.40.2, and v2.39.4. If users are currently using the following affected versions, please upgrade as soon as possible:

Git 2.45.0

Git 2.44.0

Git 2.43.* < 2.43.4

Git 2.42.* < 2.42.2

Git 2.41.0

Git 2.40.* < 2.40.2

Git < 2.39.4

Only affects Windows and Mac systems

Reference