[blfs-book] [BLFS Trac] #11217: git-2.19.1 (Security update)

Fri, 05 Oct 2018 16:00:33 -0700 

#11217: git-2.19.1 (Security update)
-------------------------+-----------------------
 Reporter:  renodr       |      Owner:  blfs-book
     Type:  enhancement  |     Status:  new
 Priority:  highest      |  Milestone:  8.4
Component:  BOOK         |    Version:  SVN
 Severity:  normal       |   Keywords:
-------------------------+-----------------------
 New point version


 {{{
 Git v2.19.1 Release Notes
 =========================

 This release merges up the fixes that appear in v2.14.5 and in
 v2.17.2 to address the recently reported CVE-2018-17456; see the
 release notes for those versions for details.

 }}}


 {{{
 Git 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1

 These releases fix a security flaw (CVE-2018-17456), which allowed an
 attacker to execute arbitrary code by crafting a malicious .gitmodules
 file in a project cloned with --recurse-submodules.

 When running "git clone --recurse-submodules", Git parses the supplied
 .gitmodules file for a URL field and blindly passes it as an argument
 to a "git clone" subprocess.  If the URL field is set to a string that
 begins with a dash, this "git clone" subprocess interprets the URL as
 an option.  This can lead to executing an arbitrary script shipped in
 the superproject as the user who ran "git clone".

 In addition to fixing the security issue for the user running "clone",
 the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
 be used to detect such malicious repository content when fetching or
 accepting a push. See "transfer.fsckObjects" in git-config(1).

 Credit for finding and fixing this vulnerability goes to joernchen
 and Jeff King, respectively.

 References:
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17456
 https://lists.q42.co.uk/pipermail/git-announce/2018-October/000996.html
 }}}

 Marking as a highest priority vulnerability since a known-working exploit
 is out in the wild (I have a copy, but I'm not sharing it).

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11217>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to