From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) by sourceware.org (Postfix) with ESMTPS id 7057B3951C0E for ; Sat, 24 Apr 2021 20:28:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 7057B3951C0E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=dinwoodie.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=adam@dinwoodie.org Received: by mail-qt1-x834.google.com with SMTP id z25so16164164qtn.8 for ; Sat, 24 Apr 2021 13:28:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dinwoodie.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=Cm3YIA3ag3R/lLlK86GZ3OsTS5T4nr19NZ/+1wTBFqQ=; b=HOMvA60pmWXQc0kVZWc+PRdrJfyDMtDfMJAR64t3MSAsl+W4mLWa0C7NcazeLoygP7 yQaUEjThi6xpg7D3+rgd8ZkU/ksPKXO5Iyjam2AbjguXCnwNfioY4F2/huNaAaSRxfGZ sPYAxyotv6EPO0qNXHORe/oLTkgx8B0MDSBr8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Cm3YIA3ag3R/lLlK86GZ3OsTS5T4nr19NZ/+1wTBFqQ=; b=JY8uUfoXLxyheEsByEvqgwFEdCJ3d8byi/+Nk5/dfauFICDDDmqP6YWeuetZzi95HJ 4FYabaiHBvH7fZyDTGuGTXlQSuvT76QhmA7G1EfGoOvL2tjWVblUNAN73c/WDksASQfr +TaIcY7WwjMSB9PXjAEA5PuA+bsRRNqeODEYFsEU7u9bl6Hw9Hrrweq7jPrHFj7f0H1x HbUU6T7VweXLvdd6L+REyeFeLF9bJKvgyg0sI+BhzSF7ZCQQDGdBIoycjkZMfIE5v2ms j4OqtOaP5XDVlEMW4YatHX/n/UHy+BqqxH2KLrtEQCVEXlPCClVAuAuN+kWMmScuCPsa EaEQ== X-Gm-Message-State: AOAM5321rpUqxmKSPcJHKS13ZBHL+tjWJms5ct6Ew693YhGhAyebXGU2 1JpdP9jlOUluq7zwab0mrJHnMWD5JfH4nZ0GoQbvk5uFT9vTqA== X-Google-Smtp-Source: ABdhPJzHO5pR/d0JX0sxfW2m3B5sDYhxQ9Rz2Vw8CTeESAyl81YenGYo2tz/2+Gv91OVsoy3KBVEMViVG7yirQ1WbBw= X-Received: by 2002:ac8:4e87:: with SMTP id 7mr9645641qtp.181.1619296139012; Sat, 24 Apr 2021 13:28:59 -0700 (PDT) MIME-Version: 1.0 From: Adam Dinwoodie Date: Sat, 24 Apr 2021 21:28:23 +0100 Message-ID: Subject: Security vulnerability in Git for Cygwin To: cygwin-announce@cygwin.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin-announce@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Read-only mailing list announcing new and updated Cygwin packages List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2021 20:29:03 -0000 Hi folks, Version 2.31.1-2 of Git has been uploaded and should be coming soon to a mirror near you. This update addresses CVE-2021-29468, which would cause Git to overwrite arbitrary files with attacker-controlled contents when checking out content from a malicious repository, and in particular would allow an attacker to overwrite Git hooks to execute arbitrary code. This vulnerability is present on all Cygwin Git versions prior to v2.31.1-2. Until you have that release, the best mitigation is to not clone or check out from any untrusted Git repositories. There is a small amount of additional information in the GitHub Security Advisory at https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557 If you compile Git on Cygwin yourself, there is currently no upstream patch that addresses the vulnerability. Until there is, I would recommend applying the preliminary patch at https://github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patch I'd like to thank RyotaK (https://github.com/Ry0taK / https://twitter.com/ryotkak) for finding and responsibly disclosing this vulnerability, and Johannes Schindelin for helping manage the response. Kind regards, Adam