delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2021/04/24/16:29:20

X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 7057B3951C0E
Authentication-Results: sourceware.org;
dmarc=none (p=none dis=none) header.from=dinwoodie.org
Authentication-Results: sourceware.org;
spf=pass smtp.mailfrom=adam AT dinwoodie DOT org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=dinwoodie.org; s=google;
h=mime-version:from:date:message-id:subject:to;
bh=Cm3YIA3ag3R/lLlK86GZ3OsTS5T4nr19NZ/+1wTBFqQ=;
b=HOMvA60pmWXQc0kVZWc+PRdrJfyDMtDfMJAR64t3MSAsl+W4mLWa0C7NcazeLoygP7
yQaUEjThi6xpg7D3+rgd8ZkU/ksPKXO5Iyjam2AbjguXCnwNfioY4F2/huNaAaSRxfGZ
sPYAxyotv6EPO0qNXHORe/oLTkgx8B0MDSBr8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=Cm3YIA3ag3R/lLlK86GZ3OsTS5T4nr19NZ/+1wTBFqQ=;
b=JY8uUfoXLxyheEsByEvqgwFEdCJ3d8byi/+Nk5/dfauFICDDDmqP6YWeuetZzi95HJ
4FYabaiHBvH7fZyDTGuGTXlQSuvT76QhmA7G1EfGoOvL2tjWVblUNAN73c/WDksASQfr
+TaIcY7WwjMSB9PXjAEA5PuA+bsRRNqeODEYFsEU7u9bl6Hw9Hrrweq7jPrHFj7f0H1x
HbUU6T7VweXLvdd6L+REyeFeLF9bJKvgyg0sI+BhzSF7ZCQQDGdBIoycjkZMfIE5v2ms
j4OqtOaP5XDVlEMW4YatHX/n/UHy+BqqxH2KLrtEQCVEXlPCClVAuAuN+kWMmScuCPsa
EaEQ==
X-Gm-Message-State: AOAM5321rpUqxmKSPcJHKS13ZBHL+tjWJms5ct6Ew693YhGhAyebXGU2
1JpdP9jlOUluq7zwab0mrJHnMWD5JfH4nZ0GoQbvk5uFT9vTqA==
X-Google-Smtp-Source: ABdhPJzHO5pR/d0JX0sxfW2m3B5sDYhxQ9Rz2Vw8CTeESAyl81YenGYo2tz/2+Gv91OVsoy3KBVEMViVG7yirQ1WbBw=
X-Received: by 2002:ac8:4e87:: with SMTP id 7mr9645641qtp.181.1619296139012;
Sat, 24 Apr 2021 13:28:59 -0700 (PDT)
MIME-Version: 1.0
From: Adam Dinwoodie <adam AT dinwoodie DOT org>
Date: Sat, 24 Apr 2021 21:28:23 +0100
Message-Id: <announce.CA+kUOa=L=nZHy6ycQyBQAMPStW8cqF2SKOWrQE3hPh0QVsgv8g@mail.gmail.com>
Subject: [ANNOUNCEMENT] Security vulnerability in Git for Cygwin
To: cygwin AT cygwin DOT com
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
server2.sourceware.org
X-BeenThere: cygwin-announce AT cygwin DOT com
X-Mailman-Version: 2.1.29
X-Mailer: Perl5 Mail::Internet v2.20
X-BeenThere: cygwin AT cygwin DOT com
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To: cygwin AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com> 

Hi folks,

Version 2.31.1-2 of Git has been uploaded and should be coming soon to
a mirror near you.

This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary
code.

This vulnerability is present on all Cygwin Git versions prior to
v2.31.1-2. Until you have that release, the best mitigation is to not
clone or check out from any untrusted Git repositories.

There is a small amount of additional information in the GitHub
Security Advisory at
https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557

If you compile Git on Cygwin yourself, there is currently no upstream
patch that addresses the vulnerability. Until there is, I would
recommend applying the preliminary patch at
https://github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patch

I'd like to thank RyotaK (https://github.com/Ry0taK /
https://twitter.com/ryotkak) for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the
response.

Kind regards,

Adam

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019