You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The text was updated successfully, but these errors were encountered:
mnowrot
changed the title
Git 2.45.0 triggers a MS Defender xz-utils vulnerability alert in C:\Program Files\Git\mingw64\bin\lzmadec.exe Version: 5.6.1.0
Git 2.45.0 triggers an MS Defender xz-utils vulnerability alert in C:\Program Files\Git\mingw64\bin\lzmadec.exe Version: 5.6.1.0
May 3, 2024
tl;dr No, Git for Windows v2.45.0 does not contain a critical vulnerability.
And to be utterly precise, CVE-2024-3094 does not describe a vulnerability, it is much worse: It is a backdoor. Even so, Git for Windows v2.45.0 does not contain said backdoor.
Unfortunately, Defender as well as the information provided in https://nvd.nist.gov/vuln/detail/CVE-2024-3094 is quite terse, too terse
if you ask me: It does not talk about SSH, systemd, let alone about the affected Operating Systems (Windows is not one of them).
I got aware of the report of a xz backdoor on March 30th, 2024, and analyzed the impact on Git for Windows immediately. I came to the conclusion that the backdoor does not affect it in the slightest.
Already the first findings were quite clear that the backdoor is compiled in only when building Debian or RedHat packages. Neither Cygwin nor Git for Windows do that, not even for development.
And then there is another compile-time check that completely excludes the backdoor on non-Linux machines.
And then the backdoor uses a little-known glibc functionality called ifunc. As far as I understand, glibc would not even work on Windows.
In any case, neither Git for Windows nor Cygwin use glibc. Without ifunc, the backdoor cannot intercept anything.
And then there is a runtime check that activates the backdoor only if the current process is called /usr/sbin/sshd. Since this is missing the .exe suffix, it would not trigger in Cygwin. And due to the way the executable name is determined, it would not even work in Git for Windows.
And then there is the fact that Git for Windows does not run sshd. Users might start it, it is included, but you'd have to be very advanced to even know about it and how to start it. I highly doubt that anyone except me ever did that, and I stopped that practice years ago.
So... All-clear, Git for Windows v2.45.0 is distinctly not affected by CVE-2024-3094.
dscho
changed the title
Git 2.45.0 triggers an MS Defender xz-utils vulnerability alert in C:\Program Files\Git\mingw64\bin\lzmadec.exe Version: 5.6.1.0
Is xz-utils/lzmadec version 5.6.1.0 not vulnerable? I.e. is Git for Windows v2.45.0 insecure?
May 3, 2024
Setup
defaults?
Details
The following has been detected by MS Defender after upgrading to 2.45
The text was updated successfully, but these errors were encountered: