Git Arbitrary Code Execution Vulnerability via Improper Configuration Quoting

A vulnerability in Git allows arbitrary code execution due to improper handling of configuration values. When Git reads configuration, it removes any trailing carriage returns and line feeds. However, when writing configuration, values with trailing carriage returns are not properly quoted, leading to the loss of the carriage return when the configuration is read again. This issue becomes problematic when initializing a submodule with a path that includes a trailing carriage return, as it causes the submodule to be checked out in the wrong location. If a symlink directs this altered path to the submodule hooks directory, and the submodule has an executable post-checkout hook, the hook may be inadvertently executed after the checkout process.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution, as a post-checkout hook in the affected submodule could be executed unintentionally, potentially running malicious scripts or commands.

Remediation

Users are advised to upgrade to Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1. Alternatively, avoid recursively cloning submodules from untrusted repositories.