最近听说一个与自己相关的CVE, CVE-2024-32002
文章目录
前言
cve git windows hook submodule
利用submodule和hook,实现对.git目录注入hook的目标。
影响windows和mac os下的大部分git版本。
提示:以下是本篇文章正文内容,下面案例可供参考
Description
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
二、PATCH
https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d
总结
提示:windows下,应尽快换最新的git版本。