The Git Project addresses a critical arbitrary code execution vulnerability in Git

Haythem Elmir

The Git Project released a new version of the Git client, Github Desktop, or Atom. that addressed a critical remote code execution vulnerability in the Git.

The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom.

The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.

A malicious repository can create a .gitmodules file that contains an URL that starts with a dash.

The usage of a dash when Git clones a repository using the –recurse-submodules argument, will trigger the command to interpret the URL as an option, making possible for an attacker to perform remote code execution on the computer.

“When running “git clone –recurse-submodules”, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a “git clone” subprocess.  If the URL field is set to a string that begins with a dash, this “git clone” subprocess interprets the URL as an option.  This can lead to executing an arbitrary script shipped in the superproject as the user who ran “git clone”.”

In addition to fixing the security issue for the user running “clone”, the 2.17.2, 2.18.1 and 2.19.1 releases have an “fsck” check which can be used to detect such malicious repository content when fetching or accepting a push. See “transfer.fsckObjects” in git-config(1).

This flaw has been addressed in Git v2.19.1, GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3.

Users have to upgrade their installs to the latest version of the Git client, Github Desktop, or Atom.

To read the original article:

Laisser un commentaire

Next Post

Attackers use voicemail hack to steal WhatsApp accounts

Another online account hijacking attack has emerged, this time targeting WhatsApp. The Israeli agency responsible for cybersecurity has warned its citizens about the attack, which can often be conducted without any knowledge or interaction on their part. All the attacker needs is the victim’s phone number. First documented by security […]