Git is one of the most used software of every coder and advanced user’s life, right? It allows managing, building and exploring the world of different software and other services right from your device. Git is obviously a popular choice. Recently, Git client was updated that fixes a few really critical issues in the system.
The latest release of Git is currently v2.17.1. This and the future versions are likely to prevent security bugs CVE-2018-11235 and CVE-2018-11233. Among these two, the first one is the most dangerous, as it would allow a crook execute codes on a remote client.
You should update your Git client right now. If you’re using any other Git clients than the official one, you should update your software as soon as the vendor releases update.
Arbitrary code execution on users’ PCs
Using specially built Git submodule, a malicious actor could potentially execute codes on others’ PCs. When the user would clone the repo, the way of Git’s submodule handling should allow the execution.
Server-side fixes for Git hosting services
Git client isn’t the only bugged side here. Git’s server-side components are also patched up. This new fix allows the Git hosting service identify if there’re any malicious codes within the hosted repository(s) and sub-modules of those for preventing the potential attack.
According to Jeff King, a GitHub staff member, the server part was the heaviest to accomplish. The detection of the flaw also required a lot of refactoring. King worked on the Git patches where the other teammates worked on VSTS, JGit, and libgit2 etc.
Here’s an in-depth and technical explanation of the patched up vulnerability (CVE-2018-11235). The credit for discovering this vulnerability goes to Etienne Stalmans who reported the vulnerability via the bounty program of GitHub.