Remediating the October 2018 Git Security Vulnerability

Today, the Git project has announced a security vulnerability: there is a security issue in recursively cloning submodules that can lead to arbitrary code execution. The Azure DevOps team encourages you to examine whether you are on an affected platform and, if so, upgrade your Git clients to the latest version. This includes Git clients on Unix platforms (including Linux and macOS) are vulnerable, including git running in a Linux distribution inside Windows Subsystem for Linux. Git on Cygwin is also vulnerable.

Git for Windows is uniquely not vulnerable to this security issue: this vulnerability requires writing a file to disk, and that filename must be particularly formatted and include a colon. Since colons are not permitted characters on Windows filesystems, Git for Windows will refuse to write the file.

Impact to Microsoft Products

Visual Studio is not impacted. Specificially, Visual Studio 2017 includes a version of Git for Windows (not impacted by this vulnerability) to perform version control Since Git for Windows. Earlier versions of Visual Studio, and Visual Studio for Mac, are not affected as they make use of the libgit2 framework, which is not vulnerable to this security issue.

Other tools, including Visual Studio Code, do not include a distribution of Git but instead rely on the version of Git installed on your machine. These tools are not directly vulnerable, and we encourage you to upgrade your system’s version of Git.

As with previous security vulnerabilities that make use of a harmful payload checked in to a Git repository, Azure Repos will prevent these malicious git repositories from being pushed into them. This is a helpful mitigation to help protect you while you are upgrading.

3