ASA-201810-7 log generated external raw

[ASA-201810-7] git: arbitrary code execution
Arch Linux Security Advisory ASA-201810-7 ========================================= Severity: High Date : 2018-10-09 CVE-ID : CVE-2018-17456 Package : git Type : arbitrary code execution Remote : Yes Link : Summary ======= The package git before version 2.19.1-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.19.1-1. # pacman -Syu "git>=2.19.1-1" The problem has been fixed upstream in version 2.19.1. Workaround ========== None. Description =========== A security issue has been found in git versions prior to 2.19.1, which allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a "git clone" subprocess. If the URL field is set to a string that begins with a dash, this "git clone" subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran "git clone". Impact ====== A remote attacker can execute arbitrary code on the affected host by convincing a local user to clone a specially crafted git repository and its sub-modules. References ==========