Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

A new version of Git has been emitted to ward off attempts to exploit a potential arbitrary code execution vulnerability – which can be triggered by merely cloning a malicious repository.

The security hole, CVE-2018-11235, reported by Etienne Stalmans, stems from a flaw in Git whereby sub-module names supplied by the .gitmodules file are not properly validated when appended to $GIT_DIR/modules. Including "../" in a name could result in directory hopping. Post-checkout hooks could then be executed, potentially causing all manner of mayhem to ensue on the victim's system.

Another vulnerability, CVE-2018-11233, describes a flaw in the processing of pathnames in Git on NTFS-based systems, allowing the reading of memory contents.

In a change from normal programming, the vulnerability appears to be cross platform.

Fear not, however, because a patch is available. The Git team released the update in 2.13.7 of the popular coding, collaboration and control tool and forward-ported it to versions 2.14.4, 2.15.2, 2.16.4 and 2.13.7.

For its part, Microsoft has urged users to download 2.17.1 (2) of Git for Windows and has blocked the malicious repositories from being pushed to Visual Studio Team Services users. The software giant has also promised a hotfix will "shortly" be available for its popular Visual Studio 2017 platform.

Other vendors, such as Debian, have been updating their Linux and software distributions to include the patched code and recommend that users upgrade to thwart ne'er-do-wells seeking to exploit the vulnerability. ®

PS: Earlier this month, Google announced version two of Git's wire protocol.

 

Similar topics

TIP US OFF

Send us news


Other stories you might like