Commit | Line | Data |
---|---|---|
66d2a615 JS |
1 | Git v2.14.6 Release Notes |
2 | ========================= | |
3 | ||
4 | This release addresses the security issues CVE-2019-1348, | |
5 | CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, | |
6 | CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387. | |
7 | ||
8 | Fixes since v2.14.5 | |
9 | ------------------- | |
10 | ||
11 | * CVE-2019-1348: | |
12 | The --export-marks option of git fast-import is exposed also via | |
13 | the in-stream command feature export-marks=... and it allows | |
14 | overwriting arbitrary paths. | |
15 | ||
16 | * CVE-2019-1349: | |
17 | When submodules are cloned recursively, under certain circumstances | |
18 | Git could be fooled into using the same Git directory twice. We now | |
19 | require the directory to be empty. | |
20 | ||
21 | * CVE-2019-1350: | |
22 | Incorrect quoting of command-line arguments allowed remote code | |
23 | execution during a recursive clone in conjunction with SSH URLs. | |
24 | ||
25 | * CVE-2019-1351: | |
26 | While the only permitted drive letters for physical drives on | |
27 | Windows are letters of the US-English alphabet, this restriction | |
28 | does not apply to virtual drives assigned via subst <letter>: | |
29 | <path>. Git mistook such paths for relative paths, allowing writing | |
30 | outside of the worktree while cloning. | |
31 | ||
32 | * CVE-2019-1352: | |
33 | Git was unaware of NTFS Alternate Data Streams, allowing files | |
34 | inside the .git/ directory to be overwritten during a clone. | |
35 | ||
36 | * CVE-2019-1353: | |
37 | When running Git in the Windows Subsystem for Linux (also known as | |
38 | "WSL") while accessing a working directory on a regular Windows | |
39 | drive, none of the NTFS protections were active. | |
40 | ||
41 | * CVE-2019-1354: | |
42 | Filenames on Linux/Unix can contain backslashes. On Windows, | |
43 | backslashes are directory separators. Git did not use to refuse to | |
44 | write out tracked files with such filenames. | |
45 | ||
46 | * CVE-2019-1387: | |
47 | Recursive clones are currently affected by a vulnerability that is | |
48 | caused by too-lax validation of submodule names, allowing very | |
49 | targeted attacks via remote code execution in recursive clones. | |
50 | ||
51 | Credit for finding these vulnerabilities goes to Microsoft Security | |
52 | Response Center, in particular to Nicolas Joly. The `fast-import` | |
53 | fixes were provided by Jeff King, the other fixes by Johannes | |
54 | Schindelin with help from Garima Singh. |