From: "SZEDER Gábor" <szeder.dev@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, Linux Kernel <linux-kernel@vger.kernel.org>,
git-packagers@googlegroups.com
Subject: Re: [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765
Date: Tue, 12 Apr 2022 20:05:10 +0200 [thread overview]
Message-ID: <20220412180510.GA2173@szeder.dev> (raw)
In-Reply-To: <xmqqv8veb5i6.fsf@gitster.g>
On Tue, Apr 12, 2022 at 10:01:21AM -0700, Junio C Hamano wrote:
> The latest maintenance release Git v2.35.2, together with releases
> for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
> v2.34.2, are now available at the usual places.
>
> These maintenance releases are to address the security issues
> described in CVE-2022-24765. Please update at your earliest
> opportunity.
>
> The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
> The following public repositories all have a copy of the 'v2.35.2',
> 'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.
>
> url = https://git.kernel.org/pub/scm/git/git
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = https://github.com/gitster/git
>
> CVE-2022-24765:
> On multi-user machines, Git users might find themselves
> unexpectedly in a Git worktree, e.g. when another user created a
> repository in `C:\.git`, in a mounted network drive or in a
> scratch space. Merely having a Git-aware prompt that runs `git
> status` (or `git diff`) and navigating to a directory which is
> supposedly not a Git worktree, or opening such a directory in an
> editor or IDE such as VS Code or Atom, will potentially run
> commands defined by that other user.
>
> Credit for finding this vulnerability goes to 俞晨东; the fix was
> authored by Johannes Schindelin.
This fix causes trouble when attempting to 'sudo make install' any
non-tagged Git revision:
$ git checkout v2.36.0-rc2
HEAD is now at 11cfe55261 Git 2.36-rc2
$ git commit --allow-empty -m foo
[detached HEAD 237ee2a6ef] foo
$ make
GIT_VERSION = 2.36.0.rc2.1.g237ee2a6ef
[...]
$ sudo make install
GIT_VERSION = 2.36.0-rc2
CC version.o
next prev parent reply other threads:[~2022-04-12 18:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 17:01 [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765 Junio C Hamano
2022-04-12 18:05 ` SZEDER Gábor [this message]
2022-04-14 0:22 ` [ANNOUNCE] Git v2.35.3 and below as a usability fix Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220412180510.GA2173@szeder.dev \
--to=szeder.dev@gmail.com \
--cc=git-packagers@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).