Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Bug In Git Opens Developer Systems Up To Attack

posted by Fnord666 on Friday June 01 2018, @10:27AM   Printer-friendly
from the git-fixed dept.

Arthur T Knackerbracket has found the following story:

Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.

Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).

“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.

Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.

The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.

“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.

[...] “Git will now refuse to work with repositories that contain a submodule configuration like this. And Visual Studio Team Services — along with most other hosting providers — will actively reject you from pushing repositories that contain such a submodule configuration, to help protect clients that haven’t yet upgraded,” Thomson continued.

Researcher Etienne Stalmans is credited for discovering the vulnerability via GitHub’s bug bounty program. Credit for fixing the bugs goes to Jeff King and Johannes, Schindelin and others. The patches made available Tuesday cover both CVEs.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Bug In Git Opens Developer Systems Up To Attack | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Subsentient on Friday June 01 2018, @04:33PM (2 children)

    by Subsentient (1111) on Friday June 01 2018, @04:33PM (#687306) Homepage Journal

    That depends on the OS and distro. Fedora is very good about stable updates, despite being a bleeding edge distro.

    --
    "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1) by redneckmother on Friday June 01 2018, @05:07PM (1 child)

    by redneckmother (3597) on Friday June 01 2018, @05:07PM (#687321)

    Fedora also has a good selection of applications.

    Too bad it's part of the systemd mess (-ducks-). I'm in the process of moving my machines from Fedora to Devuan. Three down, one to go.

    --
    Mas cerveza por favor.

    • (Score: 2) by Subsentient on Friday June 01 2018, @05:43PM

      by Subsentient (1111) on Friday June 01 2018, @05:43PM (#687346) Homepage Journal

      I'm planning to eventually package the new version of my Epoch Init System for Fedora in a way that doesn't break things, once I get around to it. Things have been crazy. In the meantime, systemd is merely a nuisance.

      --
      "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti