Re: CVE-2022-24765 and core.sharedRepository (was: What's cooking in git.git (Apr 2022, #03; Tue, 12))

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 12 Apr 2022 at 21:43, Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> wrote:
>
>
> On Tue, Apr 12 2022, Philippe Blain wrote:
>
> [A change of $subject seems in order]
>
> > Le 2022-04-12 à 13:04, Junio C Hamano a écrit :
> >>
> >>
> >> Security releases for the 2.30-2.35 maintenance tracks have been
> >> tagged to address CVE-2022-24765, which allows a user to trick other
> >> users into running a command of their choice easily on multi-user
> >> machines with a shared "mob" directory.  The fix has been also
> >> merged to Git 2.36-rc2 and to all integration branches.
> >>
> >
> > This is quite a big behaviour change for some environments [1], so I would think maybe it
> > deserves to be fully spelled out in the release notes for 2.36.0,
> > instead of just referring readers to the release notes for the maintenance
> > release, where they can read a full description only in the release notes
> > for 2.30.3 ?
>
> Yes, I think it deserves to be noted very prominently, and also that we
> had some mechanism for publishing relevant git-security@ discussions
> (possibly with some parts redacted) after the issues become public.
>
> Non knowing if others involved are OK with being quoted I'll just say
> that this issue was discussed at some length on the list, in particular
> that it'll severely hinder some core.sharedRepository workflows.
>
> Quoting (part of) my own reply from one of those exchanges (this is in
> reply to Johannes Schindelin):
>
>         But I don't understand why we need to immediately die() when we detect
>         this situation in setup.c.

Would I be right in thinking this explains new breakage we are seeing
in CI jobs we (the Perl project) have hosted on GitHub:

https://github.com/Perl/perl5/runs/6000831257?check_suite_focus=true#step:5:1

Run git remote set-url origin "***github.com/$GITHUB_REPOSITORY"
fatal: unsafe repository ('/__w/perl5/perl5' is owned by someone else)
To add an exception for this directory, call:

git config --global --add safe.directory /__w/perl5/perl5
Process completed with exit code 128.

Cheers,
Yves
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux