GitHub fixes security flaw that allowed arbitrary code execution, Windows unaffected

[nir]

GitHub is the go-to code-sharing and hosting service for developers around the globe. The company was acquired by Microsoft in June for a massive sum of $7.5 billion, although the EU is yet to finalize the deal.

 

Now, GitHub has announced that it was vulnerable to a security flaw that allowed arbitrary code execution. Although it has now fixed the issue, the company has noted that only Unix platforms were impacted by it.

 

A security listing by GitHub says that a vulnerability in its software allowed arbitrary code execution on the client platform if a specific command, namely "git clone --recurse-submodules", was executed. It explains that:

 

When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a "git clone" subprocess. If the URL field is set to a string that begins with a dash, this "git clone" subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran "git clone".

 

In a blog post, Microsoft has clarified that the problem was applicable to Unix-based platforms such as Linux and macOS, or for people running git in a Linux distro in Windows Subsystem for Linux (WSL). This is due to the fact that the file which is written to the disk when exploiting the vulnerability requires a colon in its name, and since colons are not supported in Windows filesystems, Git for Windows doesn't write the file.

 

The company has also noted that its Visual Studio products which use Git on any platform (macOS, Windows) are unaffected, but GitHub has still recommended users to upgrade to Git version 2.17.2, 2.18.1 and 2.19.1, just to be on the safe side.

 

Source