git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Adam Dinwoodie <adam@dinwoodie.org>
To: Git Mailing List <git@vger.kernel.org>
Subject: Security vulnerability in Git for Cygwin
Date: Sat, 24 Apr 2021 21:32:35 +0100	[thread overview]
Message-ID: <CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw@mail.gmail.com> (raw)

Hi folks,

I don't typically announce Cygwin releases of Git on this mailing
list, but this one's for a security vulnerability, and in particular
I'd like to catch the (hopefully very small number of) people who use
Git on Cygwin compiling it themselves.

I've just uploaded version 2.31.1-2 of Git to the Cygwin distribution
server, and it will be being distributed to the Cygwin mirrors over
the next few hours.

This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary
code.

Having discussed with the Git security list, I believe there are very
few people compiling Git on Cygwin themselves, and therefore agreed to
release the patched Cygwin build without yet having a patch in the
main Git source code. However if you do use a version of Git on Cygwin
that isn't from the official Cygwin distribution servers, I'd strongly
recommend either not checking out or cloning from any untrusted
repositories until you've applied at least the functional part of the
patch I'll be submitting shortly.

I'd like to thank RyotaK (https://github.com/Ry0taK /
https://twitter.com/ryotkak) for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the
response.

Kind regards,

Adam

             reply	other threads:[~2021-04-24 20:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-24 20:32 Adam Dinwoodie [this message]
2021-04-24 21:04 ` Security vulnerability in Git for Cygwin Adam Dinwoodie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw@mail.gmail.com' \
    --to=adam@dinwoodie.org \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).