CVE-2020-5260

[momcilo78]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.21.0.windows.1
cpu: x86_64
built from commit: 2481c4cbe949856f270a3ee80c802f5dd89381aa
sizeof-long: 4
sizeof-size_t: 8

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.17134.1365]

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Editor Option: Notepad++
Custom Editor Path:
Path Option: Cmd
SSH Option: OpenSSH
CURL Option: WinSSL
CRLF Option: CRLFCommitAsIs
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Enabled

• Any other interesting things about your environment that might be related
  to the issue you're seeing?

No

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

CMD

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

No command, this is vulnarability as described:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260

• What did you expect to occur after running these commands?

N/A

• What actually happened instead?

N/A

• If the problem was occurring with a specific repository, can you provide the
  URL to that repository to help us with testing?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260

[rimrul]

You've got to be trolling. Git for Windows 2.26.1 was released 2 days ago with the fix for this.

Your link even lists the fixed versions. Update your Git for Windows.

[momcilo78]

@rimrul not tolling. Just trying to find out if this was included, since release notes are vague.

[dscho]

release notes are vague.

The release notes mention that Git v2.26.1 was included. And that version was widely described as to fix this vulnerability.

[PhilipOakley]

(Git for Windows) release notes are vague.

The release notes mention that Git v2.26.1 was included. And that version was widely described as to fix this vulnerability.

I'd agree to both statements, but it is one of those ' a choice has to be made' [1].

Just wondering out loud if there is a good way of linking to the upstream git release notes. Including them verbatim would be the wrong thing to do, though some users may not know where to look for those upstream notes. Hmm?

The Git for Windows release notes are in the installation at file:///C:/Program%20Files/Git/ReleaseNotes.html (but not as a start menu link [2]). That page (as best I can see) isn't part of the gitforwindows.org links, but the Releases (see footer) link has the same details. Both the C: and Github release page then has a further link (via the "comes with Git Vx.y.z" note (not the classical underlined)) to the actual release notes, which in this case then say, go look at some 'other' release notes (v2.17.4), https://github.com/git/git/blob/v2.26.1/Documentation/RelNotes/2.17.4.txt (I had some finger trouble getting there:-(

So it is all there, but perhaps at a few levels deeper than @momcilo78 would have liked. Mind you, a little bit of obscurity does help keep the script kiddies away.

[1] You can't win; The best you can do is draw; The game is rigged; You can't get out of the game: Thermodynamics (laws of)

[2] that inclusion of a 'release notes' link in the start menus could be a #leftoverbits for someone who wants to dabble. I'll add it also to my list of 'ideas'.

[momcilo78]

Hi All,

With no intent to make this a trolling contest, I will elaborate "vague".

As an IT admin providing the github enterprise service, I am also responsible to trigger the replacement of distributed versions of the git clients inside the company I work for.

This meant reading the CVE, and locating the source of the package, just like any other normal user would do, so I followed https://gitforwindows.org/, clicked on Version 2.26.1
and located:
https://github.com/git-for-windows/git/releases/tag/v2.26.1.windows.1

As seen in the release notes, the CVE is not mentioned for either 2.26.0 or 2.26.1.

At this point I concluded that this is not addressed yet with proper release, and created this issue.

Locating txt files, is something we would not expect from the common end user, especially since it is in the original project.

https://github.com/git/git/blob/v2.26.1/Documentation/RelNotes/2.26.1.txt pointing to 2.17.4
https://github.com/git/git/blob/v2.26.1/Documentation/RelNotes/2.17.4.txt declaring actual CVE desingation

I would suggest therefore editing the release notes for 2.26.1, since this is what normal users read.

BR,
Moma

[dscho]

I would suggest therefore editing the release notes for 2.26.1, since this is what normal users read.

The release notes are bundled in the installer, so that's unfortunately not an option. We don't just replace binaries of already-released versions with new binaries.