GIT_DIR` in the Windows registry, which will then be picked up by Git operations. This vulnerability has been patched in Git for Windows v2.35.2. In order to be protected against the vulnerability, users must create the registry entry `GIT_DIR` in the registry. Users must do this either manually or by updating the registry with a tool such as HJ.
Vulnerable Code: if ( git_dir.StartsWith("C:")) return false;
else
if ( git_dir.StartsWith("D:")) return false;
else if ( git_dir.StartsWith("E:")) return true;
else return true;
Installing Git for Windows
To install Git for Windows, download the installer from https://git-scm.com/download. The installer will create a new folder on the Desktop called `Git` and also create a new shortcut on the Desktop to open Git in its latest release.
Git for Windows: How to Create a Registry Entry to Protect Against CVE-2022-24765
Git for Windows v2.35.2 is a patch release that fixed this vulnerability.
Microsoft Azure Service Management API Security Weakness
A security flaw that has been discovered by Microsoft is in their Azure Service Management API. This weakness allows for remote code execution on Windows Server and Windows Desktop systems, as well as when used with Microsoft SQL Server. This vulnerability is addressed in the update to Azure Service Management API (v2.0).
Timeline
Published on: 04/12/2022 18:15:00 UTC
Last modified on: 07/29/2022 03:15:00 UTC
References
- https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2
- https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash
- https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode
- http://www.openwall.com/lists/oss-security/2022/04/12/7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/
- https://support.apple.com/kb/HT213261
- http://seclists.org/fulldisclosure/2022/May/31
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24765