ArchLinux: 201705-14: git: access restriction bypass
Summary
A security issue has been found in git < 2.12.3, allowing a remote restricted user to execute an interactive pager on the server by causing it to spawn "git upload-pack --help". This is only an issue for servers running the "git-shell" restricted login shell.
Resolution
Upgrade to 2.13.0-1.
# pacman -Syu "git>=2.13.0-1"
The problem has been fixed upstream in version 2.13.0.
References
https://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ https://security.archlinux.org/CVE-2017-8386
Workaround
None.