in git detected Critical (CVE-2021-29468), manifested only when assembling for the environment Cygwin (library to emulate the basic Linux API in Windows and a set of typical Linux programs for Windows). Empty allows you to perform an attacker code when removing the data (“Git Checkout”) from the repository controlled by the attacker. The problem is eliminated in the package Git 2.31.1-2 for Cygwin. In the main project Git, the problem has not yet been fixed (it is unlikely that someone collects the GIT for Cygwin with your own hands, and does not use the finished package).
Vulnerability caused Cygwin environment processing as unix-like Systems, not Windows, which leads to the lack of restrictions on using the ” symbol on the way, while in Cygwin, as in Windows, this symbol can be used to separate directories. As a result, through the creation of a specially modified repository containing symbolic links and files with a reverse slash symbol, you can achieve overwriting arbitrary files when downloading this repository in Cygwin (in GIT for Windows, a similar vulnerability has been fixed in 2019). After receiving the ability to overwrite files, the attacker can override Hook calls to GIT and make an arbitrary code in the system.