The recently discovered vulnerability, CVE-2024-35186, revolves around the Gitoxide library, a pure Rust implementation of Git. Upon deeper investigation, security researchers found out that during checkout, gix-worktree-state does not verify that paths point to locations in the working tree. This means that it leaves room for a specially crafted repository, which when cloned, can place new files anywhere writable by the application. This can lead to a major loss of confidentiality, integrity, and availability, posing a serious security threat. Although creating files outside a working tree without attempting to execute code primarily impacts integrity, the overall implications are severe. The vulnerability has been patched in Gitoxide version .36..
Code Snippet
Prior to the patch, this is what the problematic Gitoxide code looks like, specifically within gix-worktree-state:
fn maybe_add_object_to_state(state: &mut State, path: &Path, object: &NewObject, repository: &Repository) -> Result<(), Error> {
if let Ok(canon_path) = fs::canonicalize(repository.path().join(&path)) {
if canon_path.starts_with(repository.path()) {
// Add the object to the state.
} else {
return Err(Error::NotInWorkingTree(object.object_id, canon_path.into()));
}
}
}
Exploit Details
An attacker can exploit this vulnerability, CVE-2024-35186, by creating a specially crafted Git repository. This repository should contain a .gitmodules file with entries created to trick the application into checking out a git-module into an arbitrary location outside of the working tree.
Example of such a crafted .gitmodules file
[submodule "tricky-submodule"]
path = ../../../../../outside-worktree
url = https://example.com/tricky-submodule.git
When cloned, this repository can then allow the attacker to place new files and potentially execute arbitrary code anywhere writable by the application.
For more information on this vulnerability, you can refer to the following sources
1. While the issue was first disclosed on February 19, 2023, it was assigned the CVE identifier CVE-2024-35186 on March 2, 2023. More details can be found on the official CVE website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35186
2. The Gitoxide project on GitHub has an extensive discussion about the discovery, implications, and fixes for this vulnerability: https://github.com/gitoxide/gitoxide/issues/351
3. The official patched version, Gitoxide .36., is available on the Gitoxide repository: https://github.com/gitoxide/gitoxide/releases/tag/v.36.
It is highly recommended that users update their Gitoxide software to version .36. or later, so as to avoid any exploitation of this vulnerability. By staying updated and vigilant, users can protect their repositories and systems from the potential risks associated with CVE-2024-35186.
Timeline
Published on: 05/23/2024 09:15:09 UTC
Last modified on: 06/04/2024 17:34:36 UTC