Mageia 2022-0147: git security update | LinuxSecurity.com

What Are You Looking For?

Popular Tags

Contribute
MGASA-2022-0147 - Updated git packages fix security vulnerability

Publication date: 22 Apr 2022
URL: https://advisories.mageia.org/MGASA-2022-0147.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-24765

On multi-user machines, Git users might find themselves unexpectedly in a Git
worktree, e.g. when another user created a repository in /tmp, in a mounted
network drive or in a scratch space. Merely having a Git-aware prompt that
runs 'git status' (or 'git diff') and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an editor or IDE
such as VS Code or Atom, will potentially run commands defined by that other
user (CVE-2022-24765).

References:
- https://bugs.mageia.org/show_bug.cgi?id=30277
- https://lore.kernel.org/git/[email protected]/
- https://ubuntu.com/security/notices/USN-5376-1
- https://lore.kernel.org/git/[email protected]/T/#u
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765

SRPMS:
- 8/core/git-2.30.4-1.mga8

Mageia 2022-0147: git security update

On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g

Summary

On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in /tmp, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user (CVE-2022-24765).

References

- https://bugs.mageia.org/show_bug.cgi?id=30277

- https://lore.kernel.org/git/[email protected]/

- https://ubuntu.com/security/notices/USN-5376-1

- https://lore.kernel.org/git/[email protected]/T/#u

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765

Resolution

MGASA-2022-0147 - Updated git packages fix security vulnerability

SRPMS

- 8/core/git-2.30.4-1.mga8

Severity
Publication date: 22 Apr 2022
URL: https://advisories.mageia.org/MGASA-2022-0147.html
Type: security
CVE: CVE-2022-24765

News

Advisories

HOWTOs

Features

Keeping Your Private Files Private: An Introduction to GNU Privacy Guard
Complete Guide to Ethical Hacking
Authoritative Guide on Linux Disk Encryption
Linux Database Security Tips
Everything You Need To Know About Open Source Network Monitoring Tools

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy