Git Submodule - Arbitrary Code Execution (PoC)

These releases fix a security flaw CVE-2018-17456, which allowed an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field an...

FreeBSD : Libgit2 -- Fixing insufficient validation of submodule names (5a1589ad-68f9-11e8-83f5-d8cb8abf62dd)

The Git community reports : Insufficient validation of submodule names C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML database : Copyright 2003-2018 Jacques Vidrine and contributors Redistribution and use in source VuX...

USN-3671-1 git vulnerabilities

Etienne Stalmans discovered that git did not properly validate git submodules files. A remote attacker could possibly use this to craft a git repo that causes arbitrary code execution when "git clone --recurse-submodules" is used. CVE-2018-11235 It was discovered that an integer overflow existed ...

Updated git packages fix security vulnerabilities

It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory CVE-2018-11233. Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GITDIR/modules to create our on-disk repo paths. This means you can do bad things by...

MGASA-2018-0267 Updated git packages fix security vulnerabilities

It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory CVE-2018-11233. Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GITDIR/modules to create our on-disk repo paths. This means you can do bad things by...

[slackware-security] git

New git packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/git-2.14.4-i586-1slack14.2.txz: Upgraded. This update fixes security issues: Submodule "names" come from...

Git Remote Code Execution

Exploit Title: Git code execution Date: 2018-05-29 Exploit Author: JameelNabbo Website: jameelnabbo.com Vendor Homepage: https://github.com/git/git CVE: CVE-2018-11235 Version: =2.17.1 Tested on Kali Linux P0C: Create two files: pwned.sh: the file which will contain our commands to be executed...

Bug In Git Opens Developer Systems Up to Attack

UPDATE Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository. Developers behind the open-source development Git tool pushed out Git 2.17.1, addressi...

Directory traversal

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because...

ALPINE-CVE-2018-11235

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because...

DEBIAN-CVE-2018-11235

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because...

CVE-2018-11235

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because...

CVE-2018-11235

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because...

Debian DSA-4212-1 : git - security update

Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. C Tenable Network Security, Inc. The descriptive text and package checks in...

CVE-2018-11235

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because...

Git Arbitrary Code Execution Vulnerability (CNVD-2018-10794)

Git is a free and open source distributed version control system designed to handle small to large projects with speed and efficiency. An arbitrary code execution vulnerability exists in Git due to the software's failure to properly validate submodule "names" provided via untrusted .gitmodules...

[SECURITY] [DSA 4212-1] git security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4212-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 29, 2018 https://www.debian.org/security/faq -...

Libgit2 -- Fixing insufficient validation of submodule names

The Git community reports: Insufficient validation of submodule names...

Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)

The Git community reports: In affected versions of Git, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. In affected versions of Git, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machin...

Debian: Security Advisory (DSA-4212-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...