back to article Git security vulnerability could lead to an attack of the (repo) clones

A new version of Git has been emitted to ward off attempts to exploit a potential arbitrary code execution vulnerability – which can be triggered by merely cloning a malicious repository. The security hole, CVE-2018-11235, reported by Etienne Stalmans, stems from a flaw in Git whereby sub-module names supplied by the . …

  1. Anonymous Coward
    Anonymous Coward

    "flaw in the processing of pathnames in Git on NTFS-based systems"

    What ever happened to good old input validation ?

    1. Sven Coenye

      Good old input validation

      Heh. It seems the input validation code is actually what is going off the reservation...

      "code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory"


  2. GnuTzu

    So Many Repositories--So Little Time

    I've encountered developers who think it's a good idea to have production servers pull code directly from such repositories--and there are hordes of such repositories. I've had to deny access for such requests. Imagine the rate of spread if a repository were to be infected. I have my safeguards in place--but defense in depth needs to get deeper, much deeper.

    1. Anonymous Coward
      Anonymous Coward


      You make a valid point, however it requires more context. I mean... you do realize that it's very easy to set up a construction using a specific refspec which makes sure that you don't pull it directly onto the master but another (sub)branch instead?

      Or... what if the project makes sure that only production worthy code gets onto the master branch and everything else remains limited to the dev branches?

      Ergo: you can pull code onto a production server, but that is no guarantee that it will also immediately go live right away.

      Still; how is this any different from, say, a server pulling packages directly from a repository? It doesn't have to pose any risks, depending on context.

      You make it sound as if this construction is always a bad idea, but it doesn't have to.

  3. Anonymous Coward
    Anonymous Coward

    > released the update in 2.13.7 ... and forward-ported it to 2.14.4, 2.15.2, 2.16.4 and 2.13.7

    Bags me for the forward port of 2.13.7 to 2.13.7 - I'll order your drinks once I'm at the bar...

  4. teknopaul

    bit meh

    What you gonna do with that code apart from compiling it and running it?

    You have to trust the repo.

    It like saying you have a remote exec but you have to download and run a malicious executable.

    1. MacroRodent

      Re: bit meh

      It is different because the malware gets activated by merely pulling the code from the repo before you have a chance to inspect it.

  5. FlamingDeath Silver badge

    I once sneezed at the screen, and viola, a computer program was born

    Mission Accomplished™

    1. Anonymous Coward

      > viola, a computer program was born

      Was the next release called "cello"?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon