[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gits] Git Client Security Udate

To: Eric Eide <eeide@cs.utah.edu>
Subject: Re: [gits] Git Client Security Udate
From: Robert Ricci <ricci@cs.utah.edu>
Date: Thu, 18 Dec 2014 23:41:01 -0700
Cc: Git Users Mailing List <gits@flux.utah.edu>
In-reply-to: <m1oar0o42h.fsf@gris-dmz.flux.utah.edu>
List-archive: </listarchives/gits>
List-help: <mailto:gits-request@flux.utah.edu?subject=help>
List-id: Git Discussion Mailing List <gits.flux.utah.edu>
List-post: <mailto:gits@flux.utah.edu>
List-subscribe: <http://www.flux.utah.edu/mailman/listinfo/gits>, <mailto:gits-request@flux.utah.edu?subject=subscribe>
List-unsubscribe: <http://www.flux.utah.edu/mailman/options/gits>, <mailto:gits-request@flux.utah.edu?subject=unsubscribe>
References: <m1oar0o42h.fsf@gris-dmz.flux.utah.edu>
User-agent: Mutt/1.5.23 (2014-03-12)

For what it's worth, this appears to only affect clients with
case-insensitive filesystems (Mac and Windows) - the exploit seems to be
checking in something like .Git/config into the repo. On a
case-insensitive FS, that will cause your client to overwrite
.git/config, and since there are places in there where you can put
scripts...

On 12/18, Eric Eide wrote:
> https://github.com/blog/1938-git-client-vulnerability-announced
> http://article.gmane.org/gmane.linux.kernel/1853266
> 
> Basically, update your git client.
> 
> Eric.
> 
> -- 
> -------------------------------------------------------------------------------
> Eric Eide <eeide@cs.utah.edu>  .         University of Utah School of Computing
> http://www.cs.utah.edu/~eeide/ . +1 (801) 585-5512 voice, +1 (801) 581-5843 FAX

References:
- [gits] Git Client Security Udate
  - From: Eric Eide <eeide@cs.utah.edu>

Prev by Date: [gits] Git Client Security Udate
Next by Date: [gits] Reminder: gitlab down today
Previous by thread: [gits] Git Client Security Udate
Next by thread: [gits] Reminder: gitlab down today
Index(es):
- Date
- Thread