Fedora 27: git Security Update 2018-d5139c4fd6
Summary
Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations
and full access to internals.
The git rpm installs common set of tools which are usually using with
small amount of dependencies. To install all git packages, including
tools for integrating with other SCMs, install the git-all meta-package.
Update Information:
Upstream security update resolving an issue with `git clone --recurse-submodules`. From the [upstream release announcement](https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/): > These releases fix a security flaw (CVE-2018-17456), which allowed an > attacker to execute arbitrary code by crafting a malicious .gitmodules > file in a project cloned with --recurse-submodules. > > When running "git clone --recurse-submodules", Git parses the supplied > .gitmodules file for a URL field and blindly passes it as an argument > to a "git clone" subprocess. If the URL field is set to a string that > begins with a dash, this "git clone" subprocess interprets the URL as > an option. This can lead to executing an arbitrary script shipped in > the superproject as the user who ran "git clone". > > In addition to fixing the security issue for the user running "clone", > the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can > be used to detect such malicious repository content when fetching or > accepting a push. See "transfer.fsckObjects" in git-config(1). > > Credit for finding and fixing this vulnerability goes to joernchen > and Jeff King, respectively.
Change Log
* Fri Oct 5 2018 Todd Zullinger
References
[ 1 ] Bug #1636619 - CVE-2018-17456 git: arbitrary code execution via .gitmodules https://bugzilla.redhat.com/show_bug.cgi?id=1636619
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-d5139c4fd6' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html