Add YARA rule for CVE-2025-48384 (git submodule CR injection) (#1540)

* Add YARA rule for CVE-2025-48384 (git submodule CR injection)

Detects a .gitmodules submodule path or url value that carries a smuggled
carriage return, the exploitation primitive for CVE-2025-48384. git strips a
trailing CR when reading a config value but does not quote it when writing, so
a submodule whose path ends in CR is checked out to a different location than
the one validated; paired with a symlink into .git/hooks this runs a
post-checkout hook during a recursive clone.

Placed under rules/impact/exploit/ alongside the existing CVE exploit rules.
The rule matches an embedded CR mid-value on its own (zero false positives on
benign LF or CRLF files) and a trailing CR only when the file also has bare-LF
line endings, the on-disk fingerprint of a CR injected into an otherwise-LF
.gitmodules, so a uniformly CRLF Windows checkout does not match.

Refs: GHSA-vwqx-4fm8-6qc9
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

* small rule tweaks

* add newline

---------

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

Author: arpitjain099

rules/impact/exploit/cve-2025-48384.yara

@@ -0,0 +1,42 @@
+rule git_submodule_carriage_return: high {
+  meta:
+    description = "git .gitmodules submodule path with a smuggled carriage return (CVE-2025-48384)"
+    details     = "git strips a trailing CR when reading a config value but does not quote it when writing, so a submodule path ending in CR is checked out to a different location than the one validated; combined with a symlink into .git/hooks this runs a post-checkout hook during 'git clone --recursive'"
+    cve         = "CVE-2025-48384"
+    reference   = "https://github.blog/open-source/git/git-security-vulnerabilities-announced-9/"
+    advisory    = "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"
+    repository  = "https://github.com/vinieger/CVE-2025-48384"
+    date        = "2026-06-03"
+
+  strings:
+    // git config section and variable names are case-insensitive, so every
+    // pattern is matched nocase to defeat [Submodule "..."], Path =, URL =, etc.
+    $submodule = "[submodule \"" nocase
+
+    // The strongest signal: a CR in the middle of a path/url value (CR followed
+    // by more value text, not a line terminator) or a value that ends in a bare
+    // CR at end-of-file (the trailing-CR primitive when the file has no final
+    // newline). Neither can occur in a benign LF or CRLF .gitmodules, so each is
+    // unambiguous on its own. $ here anchors end-of-data, not end-of-line, so it
+    // does not fire on the \r of a normal \r\n terminator.
+    $path_embedded_cr = /[\n\x00][ \t]*path[ \t]*=[ \t]*"?[^\r\n]*\r[^\n]/ nocase
+    $url_embedded_cr  = /[\n\x00][ \t]*url[ \t]*=[ \t]*"?[^\r\n]*\r[^\n]/ nocase
+    $path_eof_cr      = /[\n\x00][ \t]*path[ \t]*=[ \t]*"?[^\r\n]*\r$/ nocase
+    $url_eof_cr       = /[\n\x00][ \t]*url[ \t]*=[ \t]*"?[^\r\n]*\r$/ nocase
+
+    // A path/url value with a trailing CR (value ends \r\n). On its own this is
+    // byte-identical to one line of a Windows CRLF file, so it is only trusted
+    // when the submodule header itself is closed by a bare LF ("]\n), i.e. mixed
+    // terminators, which is the on-disk fingerprint of a CR smuggled into an LF
+    // .gitmodules. Anchoring on the header close keeps this a rare multi-byte
+    // literal instead of a lone \n that would match every line of every file.
+    $path_trailing_cr = /[\n\x00][ \t]*path[ \t]*=[ \t]*"?[^\r\n]*\r\n/ nocase
+    $url_trailing_cr  = /[\n\x00][ \t]*url[ \t]*=[ \t]*"?[^\r\n]*\r\n/ nocase
+    $bare_lf          = /"\]\n/
+
+  condition:
+    filesize < 1MB and $submodule and (
+      any of ($path_embedded_cr, $url_embedded_cr, $path_eof_cr, $url_eof_cr) or
+      ($bare_lf and any of ($path_trailing_cr, $url_trailing_cr))
+    )
+}