Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 533
Alerts This Week
Warning Icon 1 533

Mageia: 2022-0147 Moderate: Git Command Execution Threat

mageia
Calendar Grey April 22, 2022
Dist Mageia Esm H88
A safety notice regarding Mageia pertaining to command execution vulnerabilities in Git resulting from unanticipated worktree interactions. Find out more.
On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g

Summary

On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in /tmp, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user (CVE-2022-24765).

References

- https://bugs.mageia.org/show_bug.cgi?id=30277

- https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

- https://ubuntu.com/security/notices/USN-5376-1

- https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/T/#u

- https://www.cve.org/CVERecord?id=CVE-2022-24765

Resolution

SRPMS

- 8/core/git-2.30.4-1.mga8

Publication date: 22 Apr 2022
URL: https://advisories.mageia.org/MGASA-2022-0147.html
Type: security
CVE: CVE-2022-24765

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.