[jgit-dev] git: malicious repositories can execute remote code while clo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jgit-dev] git: malicious repositories can execute remote code while cloning -- is this applicable for JGit?

From: Denis Malyshkin <dmalyshkin@xxxxxxxxxx>
Date: Thu, 11 Mar 2021 04:41:10 +0600
Delivered-to: jgit-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jgit-dev/>
List-help: <mailto:jgit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jgit-dev>, <mailto:jgit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jgit-dev>, <mailto:jgit-dev-request@eclipse.org?subject=unsubscribe>
Organization: ISS Art, Ltd.
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

Hello,

There is a vulnerability in git:
https://www.openwall.com/lists/oss-security/2021/03/09/3

"On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone."

Is this vulnerability may be used in JGit somehow?
Thank you.

Best regards,
Denis Malyshkin, Senior C++ Developer
ISS Art, LLC - custom software development company
Skype: dmalyshkin
Phone: +73812909808

IMPORTANT: The contents of this email and any attachments are confidential and intended for the named recipient(s) only. If you have received this email by mistake, please notify the sender immediately and delete it from your system. You may not copy this email or disclose its contents to anyone. Thank you.

Prev by Date: Re: [jgit-dev] Advice for some old changes
Next by Date: Re: [jgit-dev] Welcome to the "jgit-dev" mailing list
Previous by thread: [jgit-dev] Validating the git credentials of the user
Next by thread: Re: [jgit-dev] Welcome to the "jgit-dev" mailing list
Index(es):
- Date
- Thread

Breadcrumbs