Documentation/RelNotes/2.14.6.txt - git - Git at Google

 Git v2.14.6 Release Notes
 =========================

 This release addresses the security issues CVE-2019-1348,
 CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
 CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387.

 Fixes since v2.14.5
 -------------------

  * CVE-2019-1348:
    The --export-marks option of git fast-import is exposed also via
    the in-stream command feature export-marks=... and it allows
    overwriting arbitrary paths.

  * CVE-2019-1349:
    When submodules are cloned recursively, under certain circumstances
    Git could be fooled into using the same Git directory twice. We now
    require the directory to be empty.

  * CVE-2019-1350:
    Incorrect quoting of command-line arguments allowed remote code
    execution during a recursive clone in conjunction with SSH URLs.

  * CVE-2019-1351:
    While the only permitted drive letters for physical drives on
    Windows are letters of the US-English alphabet, this restriction
    does not apply to virtual drives assigned via subst <letter>:
    <path>. Git mistook such paths for relative paths, allowing writing
    outside of the worktree while cloning.

  * CVE-2019-1352:
    Git was unaware of NTFS Alternate Data Streams, allowing files
    inside the .git/ directory to be overwritten during a clone.

  * CVE-2019-1353:
    When running Git in the Windows Subsystem for Linux (also known as
    "WSL") while accessing a working directory on a regular Windows
    drive, none of the NTFS protections were active.

  * CVE-2019-1354:
    Filenames on Linux/Unix can contain backslashes. On Windows,
    backslashes are directory separators. Git did not use to refuse to
    write out tracked files with such filenames.

  * CVE-2019-1387:
    Recursive clones are currently affected by a vulnerability that is
    caused by too-lax validation of submodule names, allowing very
    targeted attacks via remote code execution in recursive clones.

 Credit for finding these vulnerabilities goes to Microsoft Security
 Response Center, in particular to Nicolas Joly. The `fast-import`
 fixes were provided by Jeff King, the other fixes by Johannes
 Schindelin with help from Garima Singh.
	Git v2.14.6 Release Notes
	=========================

	This release addresses the security issues CVE-2019-1348,
	CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
	CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387.

	Fixes since v2.14.5
	-------------------

	* CVE-2019-1348:
	The --export-marks option of git fast-import is exposed also via
	the in-stream command feature export-marks=... and it allows
	overwriting arbitrary paths.

	* CVE-2019-1349:
	When submodules are cloned recursively, under certain circumstances
	Git could be fooled into using the same Git directory twice. We now
	require the directory to be empty.

	* CVE-2019-1350:
	Incorrect quoting of command-line arguments allowed remote code
	execution during a recursive clone in conjunction with SSH URLs.

	* CVE-2019-1351:
	While the only permitted drive letters for physical drives on
	Windows are letters of the US-English alphabet, this restriction
	does not apply to virtual drives assigned via subst <letter>:
	<path>. Git mistook such paths for relative paths, allowing writing
	outside of the worktree while cloning.

	* CVE-2019-1352:
	Git was unaware of NTFS Alternate Data Streams, allowing files
	inside the .git/ directory to be overwritten during a clone.

	* CVE-2019-1353:
	When running Git in the Windows Subsystem for Linux (also known as
	"WSL") while accessing a working directory on a regular Windows
	drive, none of the NTFS protections were active.

	* CVE-2019-1354:
	Filenames on Linux/Unix can contain backslashes. On Windows,
	backslashes are directory separators. Git did not use to refuse to
	write out tracked files with such filenames.

	* CVE-2019-1387:
	Recursive clones are currently affected by a vulnerability that is
	caused by too-lax validation of submodule names, allowing very
	targeted attacks via remote code execution in recursive clones.

	Credit for finding these vulnerabilities goes to Microsoft Security
	Response Center, in particular to Nicolas Joly. The `fast-import`
	fixes were provided by Jeff King, the other fixes by Johannes
	Schindelin with help from Garima Singh.