oss-sec mailing list archives
git v2.35.2 and friends for CVE-2022-24765
From: Junio C Hamano <gitster () pobox com>
Date: Tue, 12 Apr 2022 10:02:48 -0700
The Git project released versions v2.30.3, v2.31.2, v2.32.1, v2.33.2, v2.34.2, and v2.35.2 today. They are to address CVE-2022-24765. All supported platforms with multiple users are affected in one way or another. https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ We highly recommend to upgrade. The addressed issue is: * CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended for all users and another user created a repository in `/scratch/.git`. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user via `/scratch/.git/config`. Credit for finding the vulnerability goes to 俞晨东; credit for fixing it goes to Johannes Schindelin.
Current thread:
- git v2.35.2 and friends for CVE-2022-24765 Junio C Hamano (Apr 12)