[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] git v2.35.2 and friends for CVE-2022-24765
From:       Junio C Hamano <gitster () pobox ! com>
Date:       2022-04-12 17:02:48
Message-ID: xmqqo816b5fr.fsf () gitster ! g
[Download RAW message or body]

The Git project released versions v2.30.3, v2.31.2, v2.32.1,
v2.33.2, v2.34.2, and v2.35.2 today.  They are to address
CVE-2022-24765.  All supported platforms with multiple users are
affected in one way or another.

    https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

We highly recommend to upgrade.

The addressed issue is:

* CVE-2022-24765:
  On multi-user machines, Git users might find themselves unexpectedly in
  a Git worktree, e.g. when there is a scratch space (`/scratch/`) intend=
ed
  for all users and another user created a repository in `/scratch/.git`.
  Merely having a Git-aware prompt that runs `git status` (or `git diff`)
  and navigating to a directory which is supposedly not a Git worktree, o=
r
  opening such a directory in an editor or IDE such as VS Code or Atom, w=
ill
  potentially run commands defined by that other user via
  `/scratch/.git/config`.

Credit for finding the vulnerability goes to =E4=BF=9E=E6=99=A8=E4=B8=9C;=
 credit for fixing
it goes to Johannes Schindelin.
[prev in list] [next in list] [prev in thread] [next in thread]