Security vulnerability in Git for Cygwin

Security vulnerability in Git for Cygwin

[Adam Dinwoodie]

Hi folks,

I don't typically announce Cygwin releases of Git on this mailing
list, but this one's for a security vulnerability, and in particular
I'd like to catch the (hopefully very small number of) people who use
Git on Cygwin compiling it themselves.

I've just uploaded version 2.31.1-2 of Git to the Cygwin distribution
server, and it will be being distributed to the Cygwin mirrors over
the next few hours.

This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary
code.

Having discussed with the Git security list, I believe there are very
few people compiling Git on Cygwin themselves, and therefore agreed to
release the patched Cygwin build without yet having a patch in the
main Git source code. However if you do use a version of Git on Cygwin
that isn't from the official Cygwin distribution servers, I'd strongly
recommend either not checking out or cloning from any untrusted
repositories until you've applied at least the functional part of the
patch I'll be submitting shortly.

I'd like to thank RyotaK (https://github.com/Ry0taK /
https://twitter.com/ryotkak) for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the
response.

Kind regards,

Adam

Re: Security vulnerability in Git for Cygwin

[Adam Dinwoodie]

On Sat, 24 Apr 2021 at 21:32, Adam Dinwoodie <adam@dinwoodie.org> wrote:
> I don't typically announce Cygwin releases of Git on this mailing
> list, but this one's for a security vulnerability, and in particular
> I'd like to catch the (hopefully very small number of) people who use
> Git on Cygwin compiling it themselves.
>
> I've just uploaded version 2.31.1-2 of Git to the Cygwin distribution
> server, and it will be being distributed to the Cygwin mirrors over
> the next few hours.
>
> This update addresses CVE-2021-29468, which would cause Git to
> overwrite arbitrary files with attacker-controlled contents when
> checking out content from a malicious repository, and in particular
> would allow an attacker to overwrite Git hooks to execute arbitrary
> code.
>
> Having discussed with the Git security list, I believe there are very
> few people compiling Git on Cygwin themselves, and therefore agreed to
> release the patched Cygwin build without yet having a patch in the
> main Git source code. However if you do use a version of Git on Cygwin
> that isn't from the official Cygwin distribution servers, I'd strongly
> recommend either not checking out or cloning from any untrusted
> repositories until you've applied at least the functional part of the
> patch I'll be submitting shortly.
>
> I'd like to thank RyotaK (https://github.com/Ry0taK /
> https://twitter.com/ryotkak) for finding and responsibly disclosing
> this vulnerability, and Johannes Schindelin for helping manage the
> response.

One note I failed to put in the original email: there is further
information on this vulnerability in the GitHub Security Advisory at
https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557