New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heads up: security issues in git with respect to embedded bare repos #6400
Comments
I don't think libgit2 even supports fsmonitor, at least I couldn't find any references to it. |
AFAIU, it's no just fsmonitor, but in principle whenever the git implementation would parse/use the embedded bare repos's git-config or e.g. it's hooks. |
Libgit2 does not support hooks |
Hmm, well but AFAICS from a just very quick glance on its sources, it does parse git’s Even if none of this would be supported by libgit2 right now, it would probably still make sense to somehow take care that no future version of it, which may add support for further features, becomes exploitable. I mean in one year from now, no one will likely remember this subtle but dangerous issue. And in principle git is also vulnerable to having a rogue |
It is possible that libgit2 may never run hooks by itself. OTOH it is very likely that projects using libgit2 are calling the hooks on their own, so any solution should probably be focused on helping library callers to not do anything dangerous. |
Hey.
This is merely a heads up about a security issue that was found a while ago in git itself and which was discussed in detail at [0] as well as [1] with a good overview and simple demo of an exploit at [2] and with a "fix" (i.e. rather a safeguard, that unfortunately even seems to default to the unsafe option) pending for release at [3].
In short, when cloning an untrusted repository and inspecting it (simple git commands or even
cd
ing into them, with things likegit-prompt
enabled, may be enough) allow apparently arbitrary code execution. Code which is controlled by a possible attacker.Could you please check whether libgit2 is also affected by this issue and if so, provide some fix?
Similarly, it must be checked whether the work tree of a git repo would contain a
.git
dir, which would allow for the same attack with non-bare repos.Git apparently already forbids this since long.
Thanks for checking,
Chris.
The text was updated successfully, but these errors were encountered: