Microsoft-owned GitHub has released updated versions of its local client for code revision control, after two remote code execution bugs were discovered.
The first vulnerability affects multi-user machines, and allows untrusted users to create the C:\.git folder which the local revision control software client would find outside a repository while searching for a Git directory.
"Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command execution when working on a shared machine," Github security engineer Taylor Blau said.
Users of the posh-git Windows Powershell script are vulnerable simply by starting an instance of the command interpreter, and Git Bash users who set the recommended GIT_PS1_SHOWDIRTYSTATE are also at risk.
Creating .git folders with no read and write access on .git folders that Git commands run on is a workaround for users who can't upgrade their local repository client.
Setting or extending the GIT_CEILING_DIRECTORIES variable to include the parent directory of user profiles, like C:\Users on Windows, also prevents the vulnerability from being exploited.
A second bug leaves the Git for Windows uninstaller program vulnerable to dynamic link library (DLL) hijacking, as the high-privilege SYSTEM account inherits the settings pointing TMP and TEMP to the C:\Windows\Temp world-writeable account.
"This means that any authenticated user can place malicious .dll files that are loaded when Git for Windows' uninstaller is run via the SYSTEM account," Github engineer Victoria Dye wrote.
Github itself is not affected by the vulnerabilities, which are patched in Git for Windows version 2.35.2.
NoGitBleed credentials leak fixed
Separately, GitHub said it will scan public repositories for accidentally leaked login credentials, to prevent attackers from finding these.
Configuration or human errors have led to a significant number of users accidentally checking in GitHub credentials into GitHub commits as metadata, engineers Will Deane and Aaron Devaney discovered early August last year.
This was often a username entered as the author, and a password in the email address field.
"We estimate in the region of 50,000 to 100,000 user credentials may have been affected covering a wide range of organisations including governments, corporations, large open-source foundations as well as smaller organisations and individuals," the reseachers wrote.
With the credentials in hand, attackers could conduct for example supply-chain attacks on open source code repositories, Deane and Devaney said.
Github started scanning for credentials entered into metadata in September last year to remedy the misconfigurations and mistakes, and rolled out the feature fully yesterday.