On Sat, 24 Apr 2021 at 21:32, Adam Dinwoodie <adam@xxxxxxxxxxxxx> wrote: > I don't typically announce Cygwin releases of Git on this mailing > list, but this one's for a security vulnerability, and in particular > I'd like to catch the (hopefully very small number of) people who use > Git on Cygwin compiling it themselves. > > I've just uploaded version 2.31.1-2 of Git to the Cygwin distribution > server, and it will be being distributed to the Cygwin mirrors over > the next few hours. > > This update addresses CVE-2021-29468, which would cause Git to > overwrite arbitrary files with attacker-controlled contents when > checking out content from a malicious repository, and in particular > would allow an attacker to overwrite Git hooks to execute arbitrary > code. > > Having discussed with the Git security list, I believe there are very > few people compiling Git on Cygwin themselves, and therefore agreed to > release the patched Cygwin build without yet having a patch in the > main Git source code. However if you do use a version of Git on Cygwin > that isn't from the official Cygwin distribution servers, I'd strongly > recommend either not checking out or cloning from any untrusted > repositories until you've applied at least the functional part of the > patch I'll be submitting shortly. > > I'd like to thank RyotaK (https://github.com/Ry0taK / > https://twitter.com/ryotkak) for finding and responsibly disclosing > this vulnerability, and Johannes Schindelin for helping manage the > response. One note I failed to put in the original email: there is further information on this vulnerability in the GitHub Security Advisory at https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557
