CVE-2019-1349 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Arbitrary code execution |
| Description | A security issue has been found in git before 2.24.1 when using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to "squat" on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-1075 | libgit2 | 1:0.28.3-1 | 1:0.28.4-1 | High | Fixed | |
| AVG-1073 | git | 2.24.0-1 | 2.24.1-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 18 Dec 2019 | ASA-201912-6 | AVG-1073 | git | High | arbitrary code execution |
| 18 Dec 2019 | ASA-201912-5 | AVG-1075 | libgit2 | High | arbitrary code execution |
| References |
|---|
https://github.com/git/git/commit/0060fd1511b94c918928fa3708f69a3f33895a4a https://lkml.org/lkml/2019/12/10/905 |