bash-git-prompt Predictable Temporary File Vulnerability Allowing Symlink Attacks

A vulnerability exists in bash-git-prompt versions 2.6.1 through 2.7.1 due to the insecure use of temporary files in the /tmp directory. The files /tmp/git-index-private* and /tmp/git-index-private*.lock are created with predictable names based on the process ID of the bash session. This predictability can be exploited by attackers to perform symlink attacks, where the 'cp' command is tricked into overwriting a file of the attacker's choice. Additionally, the vulnerability could lead to a denial-of-service by pre-creating the temporary file, causing the bash-git-prompt to malfunction.

Impact

Exploitation of this vulnerability could result in a denial-of-service, an integrity violation by allowing crafted data to be injected into the Git prompt, an information leak due to the temporary file being world-readable, and potential denial-of-service or arbitrary file manipulation if symlinks or FIFOs are used.

Reproduction

The vulnerability can be reproduced by using bash-git-prompt in a Git repository. The predictable temporary files will be created when the prompt is updated. An attacker can then use the process ID of the bash session to create a symlink that the 'cp' command will follow, overwriting a file of their choice.

Remediation

Users and packagers of bash-git-prompt should update to the latest version, where this vulnerability has been addressed.