Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <xmqqo816b5fr.fsf@gitster.g>
Date: Tue, 12 Apr 2022 10:02:48 -0700
From: Junio C Hamano <gitster@...ox.com>
To: oss-security@...ts.openwall.com
Cc: git-security@...glegroups.com, 俞晨东
 <ycdxsb@...il.com>,
  prplr@...hub.com,  vdye@...hub.com
Subject: git v2.35.2 and friends for CVE-2022-24765

The Git project released versions v2.30.3, v2.31.2, v2.32.1,
v2.33.2, v2.34.2, and v2.35.2 today.  They are to address
CVE-2022-24765.  All supported platforms with multiple users are
affected in one way or another.

    https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

We highly recommend to upgrade.

The addressed issue is:

* CVE-2022-24765:
  On multi-user machines, Git users might find themselves unexpectedly in
  a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended
  for all users and another user created a repository in `/scratch/.git`.
  Merely having a Git-aware prompt that runs `git status` (or `git diff`)
  and navigating to a directory which is supposedly not a Git worktree, or
  opening such a directory in an editor or IDE such as VS Code or Atom, will
  potentially run commands defined by that other user via
  `/scratch/.git/config`.

Credit for finding the vulnerability goes to 俞晨东; credit for fixing
it goes to Johannes Schindelin.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.