Arch Linux Security Advisory ASA-202103-3

Severity: Low
Date : 2021-03-13
CVE-ID : CVE-2021-21300
Package : git
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1665

Summary

The package git before version 2.30.2-1 is vulnerable to arbitrary code
execution.

Resolution

Upgrade to 2.30.2-1.

pacman -Syu “git>=2.30.2-1”

The problem has been fixed upstream in version 2.30.2.

Workaround

None.

Description

In affected versions of Git a specially crafted repository that
contains symbolic links as well as files using a clean/smudge filter
such as Git LFS, may cause just-checked out script to be executed while
cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS.
Note that clean/smudge filters have to be configured for that. As a
workaround, if symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won’t work.
Likewise, if no clean/smudge filters such as Git LFS are configured
globally (i.e. before cloning), the attack is foiled. As always, it
is best to avoid cloning repositories from untrusted sources. The
earliest impacted version is 2.14.2. The fix versions are: 2.30.1,
2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4,
2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.

Impact

Under certain circumstances, a remote attacker might be able to execute
arbitrary code by getting a local user to clone a crafted repository.

References

https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
https://lore.kernel.org/git/[email protected]/
https://git.kernel.org/pub/scm/git/git.git/commit/?id=684dd4c2b414bcf648505e74498a608f28de4592
https://security.archlinux.org/CVE-2021-21300