[manjaro-security] [ASA-201810-7] git: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Tue Oct 9 14:19:18 CEST 2018


Arch Linux Security Advisory ASA-201810-7
=========================================

Severity: High
Date    : 2018-10-09
CVE-ID  : CVE-2018-17456
Package : git
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-776

Summary
=======

The package git before version 2.19.1-1 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 2.19.1-1.

# pacman -Syu "git>=2.19.1-1"

The problem has been fixed upstream in version 2.19.1.

Workaround
==========

None.

Description
===========

A security issue has been found in git versions prior to 2.19.1, which
allows an attacker to execute arbitrary code by crafting a malicious
.gitmodules file in a project cloned with --recurse-submodules.
When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess. If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as an
option. This can lead to executing an arbitrary script shipped in the
superproject as the user who ran "git clone".

Impact
======

A remote attacker can execute arbitrary code on the affected host by
convincing a local user to clone a specially crafted git repository and
its sub-modules.

References
==========

https://marc.info/?l=git&m=153875888916397&w=2
https://git.kernel.org/pub/scm/git/git.git/commit/?id=98afac7a7cefdca0d2c4917dd8066a59f7088265
https://git.kernel.org/pub/scm/git/git.git/commit/?id=f6adec4e329ef0e25e14c63b735a5956dc67b8bc
https://git.kernel.org/pub/scm/git/git.git/commit/?id=273c61496f88c6495b886acb1041fe57965151da
https://security.archlinux.org/CVE-2018-17456

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20181009/67a44012/attachment.sig>


More information about the manjaro-security mailing list