Date: Tue, 12 Apr 2022 10:02:48 -0700 From: Junio C Hamano <gitster@...ox.com> To: oss-security@...ts.openwall.com Cc: git-security@...glegroups.com, 俞晨东 <ycdxsb@...il.com>, prplr@...hub.com, vdye@...hub.com Subject: git v2.35.2 and friends for CVE-2022-24765 The Git project released versions v2.30.3, v2.31.2, v2.32.1, v2.33.2, v2.34.2, and v2.35.2 today. They are to address CVE-2022-24765. All supported platforms with multiple users are affected in one way or another. https://firstname.lastname@example.org/ We highly recommend to upgrade. The addressed issue is: * CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended for all users and another user created a repository in `/scratch/.git`. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user via `/scratch/.git/config`. Credit for finding the vulnerability goes to 俞晨东; credit for fixing it goes to Johannes Schindelin.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.