Git Updated Due To A Potentially Nasty Vulnerability On Windows

Written by Michael Larabel in Programming on 12 April 2022 at 01:41 PM EDT. 18 Comments
PROGRAMMING
Git 2.35.2 was just released along with updates to prior series in the form of Git 2.34.2, 2.33.2, 2.32.1, 2.31.2, and 2.30.3 due to a new security issue.

While this CVE-2022-24765 vulnerability is enough to issue updates to all supported versions in maintenance mode, the issue is likely due to only affect Microsoft Windows due to its file-system hierarchy / folder permissions. Ultimately for multi-user Windows systems it comes down to the possibility of arbitrary code execution as the running user for that arbitrary code set by other users on the system. While the complete CVE-2022-24765 hasn't been disclosed yet, it's summed up in the Git announcement as:
On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in `C:\.git`, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user.

Thuse if you are on a multi-user Windows environment, go grab the latest Git point releases. CVE-2022-24765 is the only change noted with today's announcement.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week