{"schema_version":"1.7.2","id":"OESA-2022-1676","modified":"2022-05-28T11:03:49Z","published":"2022-05-28T11:03:49Z","upstream":["CVE-2022-24765"],"summary":"git security update","details":"Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\n\nSecurity Fix(es):\n\nGit for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.(CVE-2022-24765)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.27.0-7.oe1"}]}],"ecosystem_specific":{"aarch64":["git-daemon-2.27.0-7.oe1.aarch64.rpm","git-debuginfo-2.27.0-7.oe1.aarch64.rpm","git-2.27.0-7.oe1.aarch64.rpm","git-debugsource-2.27.0-7.oe1.aarch64.rpm"],"noarch":["perl-Git-SVN-2.27.0-7.oe1.noarch.rpm","gitk-2.27.0-7.oe1.noarch.rpm","git-gui-2.27.0-7.oe1.noarch.rpm","git-web-2.27.0-7.oe1.noarch.rpm","git-email-2.27.0-7.oe1.noarch.rpm","git-help-2.27.0-7.oe1.noarch.rpm","perl-Git-2.27.0-7.oe1.noarch.rpm","git-svn-2.27.0-7.oe1.noarch.rpm"],"src":["git-2.27.0-7.oe1.src.rpm"],"x86_64":["git-daemon-2.27.0-7.oe1.x86_64.rpm","git-debugsource-2.27.0-7.oe1.x86_64.rpm","git-debuginfo-2.27.0-7.oe1.x86_64.rpm","git-2.27.0-7.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.27.0-7.oe1"}]}],"ecosystem_specific":{"aarch64":["git-2.27.0-7.oe1.aarch64.rpm","git-daemon-2.27.0-7.oe1.aarch64.rpm","git-debuginfo-2.27.0-7.oe1.aarch64.rpm","git-debugsource-2.27.0-7.oe1.aarch64.rpm"],"noarch":["git-help-2.27.0-7.oe1.noarch.rpm","git-web-2.27.0-7.oe1.noarch.rpm","gitk-2.27.0-7.oe1.noarch.rpm","perl-Git-SVN-2.27.0-7.oe1.noarch.rpm","perl-Git-2.27.0-7.oe1.noarch.rpm","git-svn-2.27.0-7.oe1.noarch.rpm","git-email-2.27.0-7.oe1.noarch.rpm","git-gui-2.27.0-7.oe1.noarch.rpm"],"src":["git-2.27.0-7.oe1.src.rpm"],"x86_64":["git-debuginfo-2.27.0-7.oe1.x86_64.rpm","git-daemon-2.27.0-7.oe1.x86_64.rpm","git-debugsource-2.27.0-7.oe1.x86_64.rpm","git-2.27.0-7.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.33.0-2.oe2203"}]}],"ecosystem_specific":{"aarch64":["git-debuginfo-2.33.0-2.oe2203.aarch64.rpm","git-debugsource-2.33.0-2.oe2203.aarch64.rpm","git-daemon-2.33.0-2.oe2203.aarch64.rpm","git-2.33.0-2.oe2203.aarch64.rpm"],"noarch":["git-help-2.33.0-2.oe2203.noarch.rpm","git-gui-2.33.0-2.oe2203.noarch.rpm","git-web-2.33.0-2.oe2203.noarch.rpm","gitk-2.33.0-2.oe2203.noarch.rpm","perl-Git-SVN-2.33.0-2.oe2203.noarch.rpm","perl-Git-2.33.0-2.oe2203.noarch.rpm","git-email-2.33.0-2.oe2203.noarch.rpm","git-svn-2.33.0-2.oe2203.noarch.rpm"],"src":["git-2.33.0-2.oe2203.src.rpm"],"x86_64":["git-debuginfo-2.33.0-2.oe2203.x86_64.rpm","git-debugsource-2.33.0-2.oe2203.x86_64.rpm","git-daemon-2.33.0-2.oe2203.x86_64.rpm","git-2.33.0-2.oe2203.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1676"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24765"}],"database_specific":{"severity":"High"}}