Headline
CVE-2022-31012: Release Git for Windows 2.37.1 · git-for-windows/git
Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows’ installer execute a binary into C:\mingw64\bin\git.exe by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. Create the C:\mingw64 folder and remove read/write access from this folder, or disallow arbitrary authenticated users to create folders in C:\.
Changes since Git for Windows v2.37.0 (June 27th 2022)
This release addresses CVE-2022-31012 and CVE-2022-29187.
New Features
- Comes with Git v2.37.1.
- Comes with OpenSSL v1.1.1q.
- Comes with Git Credential Manager Core v2.0.785.
- Comes with tig v2.5.5.
Bug Fixes
- Pasting large amounts of text in Git for Windows’ Bash when running inside Windows Terminal often resulted in garbled text, which has been fixed.
- The Perl module perl-Clone which linked to a non-existing DLL was rebuilt to fix the issue.
- The Git for Windows installer can no longer be tricked into running an untrusted git.exe in elevated mode (CVE-2022-31012).
- When running Git in a world-writable directory owned by the current user (think C:\Windows\Temp, when running under the SYSTEM account), the checks for dubious ownership of the .git directory now detect this situation properly (CVE-2022-29187).
Filename
SHA-256
Git-2.37.1-64-bit.exe
1966761ad2c9e4cbd38f9e583b1125949b011a5a250a99d65e9bb21958e6ef8b
Git-2.37.1-32-bit.exe
714069fe4291c4ca7a51f7e7e81b0c94038590294f3b9e0981456a664c92966b
PortableGit-2.37.1-64-bit.7z.exe
b0bc403bb03326b835e239b3bf7c0af277f43eba5421132dc8531204c78b6b25
PortableGit-2.37.1-32-bit.7z.exe
1a32f1de26d52ef866f27db395d8ab6bd9dc4c53bfc0161937b20f8749b4d96b
MinGit-2.37.1-64-bit.zip
edacf2d5c39555c25a396e0b9d27182ab5587259dc2e824b4490996b373f9300
MinGit-2.37.1-32-bit.zip
b336137fb286552c5c2616af50c54e9aca7d16a24ec1b00189a6c221a81af14c
MinGit-2.37.1-busybox-64-bit.zip
1fb7db2cb181ef962e06b1b99c4b254b3ace6f6dce73740bd498d3948189ca42
MinGit-2.37.1-busybox-32-bit.zip
7470ec55d4ac0ddc3738614dbfe6642770a001b0bae9d3c944e22e25019bf16d
Git-2.37.1-64-bit.tar.bz2
b1c87e136947102ce32f75ef880ebee79b547f8ef33bb1b5010c3455ac83a655
Git-2.37.1-32-bit.tar.bz2
b0fef8f618e5e5cdad200571211fb6b42be595ef55bf8b648b8211c8bd5e02ea
Related news
Gentoo Linux Security Advisory 202401-17 - A vulnerability has been found in libgit2 which could result in privilege escalation. Versions greater than or equal to 1.4.4 are affected.
Gentoo Linux Security Advisory 202312-15 - Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Versions greater than or equal to 2.39.3 are affected.
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24765: A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository. * CVE-2022-29187: A vu...
An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24765: A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository. * CVE-2022-29187: A vu...
An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges.
Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.
Ubuntu Security Notice 5511-1 - Carlo Marcelo Arenas Belon discovered that an issue related to CVE-2022-24765 still affected Git. An attacker could possibly use this issue to run arbitrary commands as administrator.
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.