|
| 1 | +Git v2.14.6 Release Notes |
| 2 | +========================= |
| 3 | + |
| 4 | +This release addresses the security issues CVE-2019-1348, |
| 5 | +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, |
| 6 | +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387. |
| 7 | + |
| 8 | +Fixes since v2.14.5 |
| 9 | +------------------- |
| 10 | + |
| 11 | + * CVE-2019-1348: |
| 12 | + The --export-marks option of git fast-import is exposed also via |
| 13 | + the in-stream command feature export-marks=... and it allows |
| 14 | + overwriting arbitrary paths. |
| 15 | + |
| 16 | + * CVE-2019-1349: |
| 17 | + When submodules are cloned recursively, under certain circumstances |
| 18 | + Git could be fooled into using the same Git directory twice. We now |
| 19 | + require the directory to be empty. |
| 20 | + |
| 21 | + * CVE-2019-1350: |
| 22 | + Incorrect quoting of command-line arguments allowed remote code |
| 23 | + execution during a recursive clone in conjunction with SSH URLs. |
| 24 | + |
| 25 | + * CVE-2019-1351: |
| 26 | + While the only permitted drive letters for physical drives on |
| 27 | + Windows are letters of the US-English alphabet, this restriction |
| 28 | + does not apply to virtual drives assigned via subst <letter>: |
| 29 | + <path>. Git mistook such paths for relative paths, allowing writing |
| 30 | + outside of the worktree while cloning. |
| 31 | + |
| 32 | + * CVE-2019-1352: |
| 33 | + Git was unaware of NTFS Alternate Data Streams, allowing files |
| 34 | + inside the .git/ directory to be overwritten during a clone. |
| 35 | + |
| 36 | + * CVE-2019-1353: |
| 37 | + When running Git in the Windows Subsystem for Linux (also known as |
| 38 | + "WSL") while accessing a working directory on a regular Windows |
| 39 | + drive, none of the NTFS protections were active. |
| 40 | + |
| 41 | + * CVE-2019-1354: |
| 42 | + Filenames on Linux/Unix can contain backslashes. On Windows, |
| 43 | + backslashes are directory separators. Git did not use to refuse to |
| 44 | + write out tracked files with such filenames. |
| 45 | + |
| 46 | + * CVE-2019-1387: |
| 47 | + Recursive clones are currently affected by a vulnerability that is |
| 48 | + caused by too-lax validation of submodule names, allowing very |
| 49 | + targeted attacks via remote code execution in recursive clones. |
| 50 | + |
| 51 | +Credit for finding these vulnerabilities goes to Microsoft Security |
| 52 | +Response Center, in particular to Nicolas Joly. The `fast-import` |
| 53 | +fixes were provided by Jeff King, the other fixes by Johannes |
| 54 | +Schindelin with help from Garima Singh. |
0 commit comments