Subject: [ASA-201807-2] git-annex: multiple issues Arch Linux Security Advisory ASA-201807-2 ========================================= Severity: High Date : 2018-07-04 CVE-ID : CVE-2018-10857 CVE-2018-10859 Package : git-annex Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-725 Summary ======= The package git-annex before version 6.20180626-1 is vulnerable to multiple issues including arbitrary filesystem access and information disclosure. Resolution ========== Upgrade to 6.20180626-1. # pacman -Syu "git-annex>=6.20180626-1" The problems have been fixed upstream in version 6.20180626. Workaround ========== None. Description =========== - CVE-2018-10857 (arbitrary filesystem access) Some uses of git-annex were vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN. - CVE-2018-10859 (information disclosure) A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's gpg key. This attack could be used to expose encrypted data that was never stored in git- annex Impact ====== A remote attacker is able to read arbitrary files on the filesystem or decrypt encrypted files by modifying the git-annex repository. References ========== https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/ https://git.joeyh.name/index.cgi/git-annex.git/commit/?id=b54b2cdc0ef1373fc200c0d28fded3c04fd57212 https://security.archlinux.org/CVE-2018-10857 https://security.archlinux.org/CVE-2018-10859