The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom.
The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.
A malicious repository can create a .gitmodules file that contains an URL that starts with a dash.
The usage of a dash when Git clones a repository using the –recurse-submodules argument, will trigger the command to interpret the URL as an option, making possible for an attacker to perform remote code execution on the computer.
“When running “git clone –recurse-submodules”, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a “git clone” subprocess. If the URL field is set to a string that begins with a dash, this “git clone” subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran “git clone”.”
“In addition to fixing the security issue for the user running “clone”, the 2.17.2, 2.18.1 and 2.19.1 releases have an “fsck” check which can be used to detect such malicious repository content when fetching or accepting a push. See “transfer.fsckObjects” in git-config(1).”
This flaw has been addressed in Git v2.19.1, GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3.
(Security Affairs – Git Project, hacking)