From: Adam Dinwoodie <adam@dinwoodie.org>
To: Git Mailing List <git@vger.kernel.org>
Subject: Security vulnerability in Git for Cygwin
Date: Sat, 24 Apr 2021 21:32:35 +0100 [thread overview]
Message-ID: <CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw@mail.gmail.com> (raw)
Hi folks,
I don't typically announce Cygwin releases of Git on this mailing
list, but this one's for a security vulnerability, and in particular
I'd like to catch the (hopefully very small number of) people who use
Git on Cygwin compiling it themselves.
I've just uploaded version 2.31.1-2 of Git to the Cygwin distribution
server, and it will be being distributed to the Cygwin mirrors over
the next few hours.
This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary
code.
Having discussed with the Git security list, I believe there are very
few people compiling Git on Cygwin themselves, and therefore agreed to
release the patched Cygwin build without yet having a patch in the
main Git source code. However if you do use a version of Git on Cygwin
that isn't from the official Cygwin distribution servers, I'd strongly
recommend either not checking out or cloning from any untrusted
repositories until you've applied at least the functional part of the
patch I'll be submitting shortly.
I'd like to thank RyotaK (https://github.com/Ry0taK /
https://twitter.com/ryotkak) for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the
response.
Kind regards,
Adam
next reply other threads:[~2021-04-24 20:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-24 20:32 Adam Dinwoodie [this message]
2021-04-24 21:04 ` Security vulnerability in Git for Cygwin Adam Dinwoodie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw@mail.gmail.com' \
--to=adam@dinwoodie.org \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).