Credential-leaking vulnerability in some Git credential managers

Date:
Wed, 29 Jan 2025 16:01:10 +0000

Description:
Security researcher RyotaK has shared a series of vulnerabilities that all have to do with how Git
interfaces with external
credential managers. In short, while Git guards against newline characters
( \n ) being injected into a repository's URL, some programming languages
also treat carriage return characters ( \r ) as being newlines. Adding a carriage return to a repository's URL can cause Git and the credential manager to disagree on how the URL should be parsed, ultimately resulting in Git credentials being sent to the wrong host. Malicious repositories could include Git submodules with malformed URLs, triggering the bug. Only password-based authentication
with an external credential manager is
vulnerable to this attack; SSH-based authentication remains secure. The Git project
has chosen to consider this a vulnerability in Git, given the large amount of external software affected. The project has fixed the bug on its end by releasing updates for all supported versions that ban
carriage returns in URLs entirely. Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities: Since Git itself doesn't use .lfsconfig file, specifying the URL that contains
the newline character in .lfsconfig causes Git LFS to insert the newline character
into the message, while bypassing [...] Git's validation.

======================================================================
Link to news story:
https://lwn.net/Articles/1006691/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)