lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20220412180510.GA2173@szeder.dev>
Date:   Tue, 12 Apr 2022 20:05:10 +0200
From:   SZEDER Gábor <szeder.dev@...il.com>
To:     Junio C Hamano <gitster@...ox.com>
Cc:     git@...r.kernel.org, Linux Kernel <linux-kernel@...r.kernel.org>,
        git-packagers@...glegroups.com
Subject: Re: [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765

On Tue, Apr 12, 2022 at 10:01:21AM -0700, Junio C Hamano wrote:
> The latest maintenance release Git v2.35.2, together with releases
> for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
> v2.34.2, are now available at the usual places.
> 
> These maintenance releases are to address the security issues
> described in CVE-2022-24765.  Please update at your earliest
> opportunity.
> 
> The tarballs are found at:
> 
>     https://www.kernel.org/pub/software/scm/git/
> 
> The following public repositories all have a copy of the 'v2.35.2',
> 'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.
> 
>   url = https://git.kernel.org/pub/scm/git/git
>   url = https://kernel.googlesource.com/pub/scm/git/git
>   url = https://github.com/gitster/git
> 
> CVE-2022-24765:
>    On multi-user machines, Git users might find themselves
>    unexpectedly in a Git worktree, e.g. when another user created a
>    repository in `C:\.git`, in a mounted network drive or in a
>    scratch space. Merely having a Git-aware prompt that runs `git
>    status` (or `git diff`) and navigating to a directory which is
>    supposedly not a Git worktree, or opening such a directory in an
>    editor or IDE such as VS Code or Atom, will potentially run
>    commands defined by that other user.
> 
> Credit for finding this vulnerability goes to 俞晨东; the fix was
> authored by Johannes Schindelin.

This fix causes trouble when attempting to 'sudo make install' any
non-tagged Git revision:

  $ git checkout v2.36.0-rc2 
  HEAD is now at 11cfe55261 Git 2.36-rc2
  $ git commit --allow-empty -m foo
  [detached HEAD 237ee2a6ef] foo
  $ make
  GIT_VERSION = 2.36.0.rc2.1.g237ee2a6ef
  [...]
  $ sudo make install
  GIT_VERSION = 2.36.0-rc2
      CC version.o


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ