Git vulnerability could lead to an attack of the (repo) clones

[steven36]

Best git patching y'all

 

 

A new version of Git has been emitted to ward off potential arbitrary code execution as a result of merely cloning a malicious repository.

 

CVE-2018-11235, reported by Etienne Stalmans, takes advantage of a flaw in Git whereby sub-module names supplied by the .gitmodules file are not properly validated when appended to $GIT_DIR/modules. Including "../" in a name could result in directory hopping. Post-checkout hooks could then be executed, potentially causing all manner of mayhem to ensue on the victim's system.

 

Another vulnerability, CVE-2018-11233, describes a flaw in the processing of pathnames in Git on NTFS-based systems, allowing the reading of memory contents.

 

In a change from normal programming, the vulnerability appears to be cross platform.

 

Fear not, however, because a patch is available. The Git team released the update in 2.13.7 of the popular coding, collaboration and control tool and forward-ported it to versions 2.14.4, 2.15.2, 2.16.4 and 2.13.7.

 

For its part, Microsoft has urged users to download 2.17.1 (2) of Git for Windows and has blocked the malicious repositories from being pushed to Visual Studio Team Services users. The software giant has also promised a hotfix will "shortly" be available for its popular Visual Studio 2017 platform.

 

Other vendors, such as Debian, have been updating their distributions to include the patched code and recommend that users upgrade to ward off ne'er-do-wells seeking to exploit the vulnerability.

 

Source