From: "SZEDER Gábor" <szeder.dev@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, Linux Kernel <linux-kernel@vger.kernel.org>,
git-packagers@googlegroups.com
Subject: Re: [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765
Date: Tue, 12 Apr 2022 20:05:10 +0200 [thread overview]
Message-ID: <20220412180510.GA2173@szeder.dev> (raw)
In-Reply-To: <xmqqv8veb5i6.fsf@gitster.g>
On Tue, Apr 12, 2022 at 10:01:21AM -0700, Junio C Hamano wrote:
> The latest maintenance release Git v2.35.2, together with releases
> for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
> v2.34.2, are now available at the usual places.
>
> These maintenance releases are to address the security issues
> described in CVE-2022-24765. Please update at your earliest
> opportunity.
>
> The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
> The following public repositories all have a copy of the 'v2.35.2',
> 'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.
>
> url = https://git.kernel.org/pub/scm/git/git
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = https://github.com/gitster/git
>
> CVE-2022-24765:
> On multi-user machines, Git users might find themselves
> unexpectedly in a Git worktree, e.g. when another user created a
> repository in `C:\.git`, in a mounted network drive or in a
> scratch space. Merely having a Git-aware prompt that runs `git
> status` (or `git diff`) and navigating to a directory which is
> supposedly not a Git worktree, or opening such a directory in an
> editor or IDE such as VS Code or Atom, will potentially run
> commands defined by that other user.
>
> Credit for finding this vulnerability goes to 俞晨东; the fix was
> authored by Johannes Schindelin.
This fix causes trouble when attempting to 'sudo make install' any
non-tagged Git revision:
$ git checkout v2.36.0-rc2
HEAD is now at 11cfe55261 Git 2.36-rc2
$ git commit --allow-empty -m foo
[detached HEAD 237ee2a6ef] foo
$ make
GIT_VERSION = 2.36.0.rc2.1.g237ee2a6ef
[...]
$ sudo make install
GIT_VERSION = 2.36.0-rc2
CC version.o
next prev parent reply other threads:[~2022-04-12 18:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 17:01 [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765 Junio C Hamano
2022-04-12 18:05 ` SZEDER Gábor [this message]
2022-04-14 0:22 ` [ANNOUNCE] Git v2.35.3 and below as a usability fix Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220412180510.GA2173@szeder.dev \
--to=szeder.dev@gmail.com \
--cc=git-packagers@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.