Jump to content

Git vulnerability could lead to an attack of the (repo) clones


Recommended Posts

Best git patching y'all




A new version of Git has been emitted to ward off potential arbitrary code execution as a result of merely cloning a malicious repository.


CVE-2018-11235, reported by Etienne Stalmans, takes advantage of a flaw in Git whereby sub-module names supplied by the .gitmodules file are not properly validated when appended to $GIT_DIR/modules. Including "../" in a name could result in directory hopping. Post-checkout hooks could then be executed, potentially causing all manner of mayhem to ensue on the victim's system.


Another vulnerability, CVE-2018-11233, describes a flaw in the processing of pathnames in Git on NTFS-based systems, allowing the reading of memory contents.


In a change from normal programming, the vulnerability appears to be cross platform.


Fear not, however, because a patch is available. The Git team released the update in 2.13.7 of the popular coding, collaboration and control tool and forward-ported it to versions 2.14.4, 2.15.2, 2.16.4 and 2.13.7.


For its part, Microsoft has urged users to download 2.17.1 (2) of Git for Windows and has blocked the malicious repositories from being pushed to Visual Studio Team Services users. The software giant has also promised a hotfix will "shortly" be available for its popular Visual Studio 2017 platform.


Other vendors, such as Debian, have been updating their distributions to include the patched code and recommend that users upgrade to ward off ne'er-do-wells seeking to exploit the vulnerability.



Link to comment
Share on other sites

  • Replies 0
  • Views 348
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...