From: demerphq <demerphq@gmail.com>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: Philippe Blain <levraiphilippeblain@gmail.com>,
Junio C Hamano <gitster@pobox.com>, Git <git@vger.kernel.org>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: Re: CVE-2022-24765 and core.sharedRepository (was: What's cooking in git.git (Apr 2022, #03; Tue, 12))
Date: Wed, 13 Apr 2022 05:10:11 +0200 [thread overview]
Message-ID: <CANgJU+XU_j2Ge-c34qqKMZRjM5k4OBYMiJa4t7WJcPsdABWHiQ@mail.gmail.com> (raw)
In-Reply-To: <220412.86h76yglfe.gmgdl@evledraar.gmail.com>
On Tue, 12 Apr 2022 at 21:43, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
>
>
> On Tue, Apr 12 2022, Philippe Blain wrote:
>
> [A change of $subject seems in order]
>
> > Le 2022-04-12 à 13:04, Junio C Hamano a écrit :
> >>
> >>
> >> Security releases for the 2.30-2.35 maintenance tracks have been
> >> tagged to address CVE-2022-24765, which allows a user to trick other
> >> users into running a command of their choice easily on multi-user
> >> machines with a shared "mob" directory. The fix has been also
> >> merged to Git 2.36-rc2 and to all integration branches.
> >>
> >
> > This is quite a big behaviour change for some environments [1], so I would think maybe it
> > deserves to be fully spelled out in the release notes for 2.36.0,
> > instead of just referring readers to the release notes for the maintenance
> > release, where they can read a full description only in the release notes
> > for 2.30.3 ?
>
> Yes, I think it deserves to be noted very prominently, and also that we
> had some mechanism for publishing relevant git-security@ discussions
> (possibly with some parts redacted) after the issues become public.
>
> Non knowing if others involved are OK with being quoted I'll just say
> that this issue was discussed at some length on the list, in particular
> that it'll severely hinder some core.sharedRepository workflows.
>
> Quoting (part of) my own reply from one of those exchanges (this is in
> reply to Johannes Schindelin):
>
> But I don't understand why we need to immediately die() when we detect
> this situation in setup.c.
Would I be right in thinking this explains new breakage we are seeing
in CI jobs we (the Perl project) have hosted on GitHub:
https://github.com/Perl/perl5/runs/6000831257?check_suite_focus=true#step:5:1
Run git remote set-url origin "***github.com/$GITHUB_REPOSITORY"
fatal: unsafe repository ('/__w/perl5/perl5' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/perl5/perl5
Process completed with exit code 128.
Cheers,
Yves
next prev parent reply other threads:[~2022-04-13 3:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 17:04 What's cooking in git.git (Apr 2022, #03; Tue, 12) Junio C Hamano
2022-04-12 17:52 ` Philippe Blain
2022-04-12 18:55 ` CVE-2022-24765 and core.sharedRepository (was: What's cooking in git.git (Apr 2022, #03; Tue, 12)) Ævar Arnfjörð Bjarmason
2022-04-13 3:10 ` demerphq [this message]
2022-04-13 23:51 ` What's cooking in git.git (Apr 2022, #03; Tue, 12) Junio C Hamano
2022-04-13 20:08 ` ab/plug-leak-in-revisions (was: What's cooking in git.git (Apr 2022, #03; Tue, 12)) Ævar Arnfjörð Bjarmason
2022-04-13 23:32 ` ab/plug-leak-in-revisions Junio C Hamano
2022-04-14 7:22 ` ab/plug-leak-in-revisions Ævar Arnfjörð Bjarmason
2022-04-14 18:33 ` ab/plug-leak-in-revisions Junio C Hamano
2022-04-13 20:11 ` ab/ci-setup-simplify etc. (was: What's cooking in git.git (Apr 2022, #03; Tue, 12)) Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANgJU+XU_j2Ge-c34qqKMZRjM5k4OBYMiJa4t7WJcPsdABWHiQ@mail.gmail.com \
--to=demerphq@gmail.com \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=levraiphilippeblain@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).