[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] git v2.35.2 and friends for CVE-2022-24765
From: Junio C Hamano <gitster () pobox ! com>
Date: 2022-04-12 17:02:48
Message-ID: xmqqo816b5fr.fsf () gitster ! g
[Download RAW message or body]
The Git project released versions v2.30.3, v2.31.2, v2.32.1,
v2.33.2, v2.34.2, and v2.35.2 today. They are to address
CVE-2022-24765. All supported platforms with multiple users are
affected in one way or another.
https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
We highly recommend to upgrade.
The addressed issue is:
* CVE-2022-24765:
On multi-user machines, Git users might find themselves unexpectedly in
a Git worktree, e.g. when there is a scratch space (`/scratch/`) intend=
ed
for all users and another user created a repository in `/scratch/.git`.
Merely having a Git-aware prompt that runs `git status` (or `git diff`)
and navigating to a directory which is supposedly not a Git worktree, o=
r
opening such a directory in an editor or IDE such as VS Code or Atom, w=
ill
potentially run commands defined by that other user via
`/scratch/.git/config`.
Credit for finding the vulnerability goes to =E4=BF=9E=E6=99=A8=E4=B8=9C;=
credit for fixing
it goes to Johannes Schindelin.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic