oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2018-17456 Git RCE via .gitmodules

From: joernchen <joernchen () phenoelit de>
Date: Sat, 6 Oct 2018 13:40:04 +0200
Hey,

just a short heads up to oss-sec:

Git has just [0] released Versions 2.14.5, 2.15.3, 2.16.5, 2.17.2,
2.18.1, and 2.19.1 which mitigate CVE-2018-17456, an RCE issue I found
within the handling of Git submodules.

More specifically this issue allows execution of arbitrary commands via
a argument injection to subsequent `git clone` operations using the
`url` parameter in the `.gitmodules` file. 


Cheers,

joernchen

[0] https://marc.info/?l=git&m=153875888916397&w=2

--
joernchen ~ Phenoelit
<joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC
Previous By Date Next
Previous By Thread Next

Current thread: