Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday June 01 2018, @10:27AM   Printer-friendly
from the git-fixed dept.

Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.

Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).

“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.

Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.

The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.

“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.

[...] “Git will now refuse to work with repositories that contain a submodule configuration like this. And Visual Studio Team Services — along with most other hosting providers — will actively reject you from pushing repositories that contain such a submodule configuration, to help protect clients that haven’t yet upgraded,” Thomson continued.

Researcher Etienne Stalmans is credited for discovering the vulnerability via GitHub’s bug bounty program. Credit for fixing the bugs goes to Jeff King and Johannes, Schindelin and others. The patches made available Tuesday cover both CVEs.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Wootery on Friday June 01 2018, @01:36PM

    by Wootery (2341) on Friday June 01 2018, @01:36PM (#687229)

    Never change. Keep updating!

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4