Code execution bug in malicious repositories resolved by Git Project

[silversurfer]

The Git Project has disclosed the existence of a severe vulnerability which can lead to the execution of arbitrary code.

The vulnerability, CVE-2018-17456, was disclosed on Friday. The option-injection attack can be used to compromise the software's submodules. Malicious repositories which are cloned and use a .gitmodules file with a URL field beginning with a '-' character can be used to execute code at the time of processing.

CVE-2018-17456 is similar to CVE-2017-1000117, another option-injection attack which related to the handling of "ssh" URLs in Git software. The latter issue could be used to execute shell commands with the privileges of the user running the Git client when performing a clone action on a malicious repository.

Source: https://www.zdnet.com/article/code-execu...t-project/