Arch Linux Security Advisory ASA-201806-1 ========================================= Severity: Critical Date : 2018-06-01 CVE-ID : CVE-2018-11233 CVE-2018-11235 Package : git Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-711 Summary ======= The package git before version 2.17.1-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 2.17.1-1. # pacman -Syu "git>=2.17.1-1" The problems have been fixed upstream in version 2.17.1. Workaround ========== None. Description =========== - CVE-2018-11233 (information disclosure) A security issue has been found in git before 2.17.1, where the code that sanify-check paths in is_ntfs_dotgit() could have been tricked into reading random pieces of memory. - CVE-2018-11235 (arbitrary code execution) A security issue has been found in git before 2.17.1. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. Impact ====== A remote attacker can execute arbitrary code on the affected host by placing a crafted .gitmodules file in a repository cloned by a local user, or access sensitive information via a crafted path in such a repository. References ========== https://lkml.org/lkml/2018/5/29/889 https://github.com/gitster/git/commit/11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d https://security.archlinux.org/CVE-2018-11233 https://security.archlinux.org/CVE-2018-11235