ArchLinux: 201810-7: git: arbitrary code execution
Summary
A security issue has been found in git versions prior to 2.19.1, which allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a "git clone" subprocess. If the URL field is set to a string that begins with a dash, this "git clone" subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran "git clone".
Resolution
Upgrade to 2.19.1-1.
# pacman -Syu "git>=2.19.1-1"
The problem has been fixed upstream in version 2.19.1.
References
https://marc.info/?l=git&m=153875888916397&w=2 https://git.kernel.org/pub/scm/git/git.git/commit/?id=98afac7a7cefdca0d2c4917dd8066a59f7088265 https://git.kernel.org/pub/scm/git/git.git/commit/?id=f6adec4e329ef0e25e14c63b735a5956dc67b8bc https://git.kernel.org/pub/scm/git/git.git/commit/?id=273c61496f88c6495b886acb1041fe57965151da https://security.archlinux.org/CVE-2018-17456
Workaround
None.