LWN.net (RSS Feed) on Nostr: Credential-leaking vulnerability in some Git credential managers Security researcher ...
Credential-leaking vulnerability in some Git credential managers
Security researcher RyotaK
<a href="https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/"; rel="nofollow">
has shared</a> a series of vulnerabilities that all have to do with how Git
interfaces with external
credential managers. In short, while Git guards against newline characters
(\n) being injected into a repository's URL, some programming languages
also treat carriage return characters (\r) as being newlines. Adding a
carriage return to a repository's URL can cause Git and the credential manager
to disagree on how the URL should be parsed, ultimately resulting in Git
credentials being sent to the wrong host. Malicious repositories could include
Git submodules with malformed URLs, triggering the bug. Only password-based authentication
with an external credential manager is
vulnerable to this attack; SSH-based authentication remains secure. The Git project
has chosen to consider this a vulnerability in Git, given the large amount of
external software affected. The project has fixed the bug on its end by
<a href="https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.txt"; rel="nofollow">
releasing updates</a> for all supported versions that ban
carriage returns in URLs entirely.
Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:
Since Git itself doesn't use .lfsconfig file, specifying the URL that contains
the newline character in .lfsconfig causes Git LFS to insert the newline character
into the message, while bypassing [...] Git's validation.
https://lwn.net/Articles/1006691/
Security researcher RyotaK
<a href="https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/"; rel="nofollow">
has shared</a> a series of vulnerabilities that all have to do with how Git
interfaces with external
credential managers. In short, while Git guards against newline characters
(\n) being injected into a repository's URL, some programming languages
also treat carriage return characters (\r) as being newlines. Adding a
carriage return to a repository's URL can cause Git and the credential manager
to disagree on how the URL should be parsed, ultimately resulting in Git
credentials being sent to the wrong host. Malicious repositories could include
Git submodules with malformed URLs, triggering the bug. Only password-based authentication
with an external credential manager is
vulnerable to this attack; SSH-based authentication remains secure. The Git project
has chosen to consider this a vulnerability in Git, given the large amount of
external software affected. The project has fixed the bug on its end by
<a href="https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.txt"; rel="nofollow">
releasing updates</a> for all supported versions that ban
carriage returns in URLs entirely.
Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:
Since Git itself doesn't use .lfsconfig file, specifying the URL that contains
the newline character in .lfsconfig causes Git LFS to insert the newline character
into the message, while bypassing [...] Git's validation.
https://lwn.net/Articles/1006691/