Subj : Credential-leaking vulnerability in some Git credential managers
To   : All
From : LWN.net
Date : Wed Jan 29 2025 16:15:07

Credential-leaking vulnerability in some Git credential managers

Date:
Wed, 29 Jan 2025 16:01:10 +0000

Description:
Security researcher RyotaK has shared a series of vulnerabilities that all 
have to do with how Git
interfaces with external
credential managers. In short, while Git guards against newline characters
( \n ) being injected into a repository's URL, some programming languages
also treat carriage return characters ( \r ) as being newlines. Adding a
carriage return to a repository's URL can cause Git and the credential manager
to disagree on how the URL should be parsed, ultimately resulting in Git
credentials being sent to the wrong host. Malicious repositories could include
Git submodules with malformed URLs, triggering the bug. Only password-based 
authentication
with an external credential manager is
vulnerable to this attack; SSH-based authentication remains secure. The Git 
project
has chosen to consider this a vulnerability in Git, given the large amount of
external software affected. The project has fixed the bug on its end by 
releasing updates for all supported versions that ban
carriage returns in URLs entirely. Affected software includes GitHub Desktop, 
Git LFS, and possibly other Git utilities: Since Git itself doesn't use 
..lfsconfig file, specifying the URL that contains
the newline character in .lfsconfig causes Git LFS to insert the newline 
character
into the message, while bypassing [...] Git's validation.

======================================================================
Link to news story:
https://lwn.net/Articles/1006691/


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)

.