Launchpad.net

CVE 2018-11235

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Related bugs and status

CVE-2018-11235 (Candidate) is related to these bugs:

Bug #1774061: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules

Summary				In	Importance	Status
	1774061	git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules		git (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://blogs.msdn.mic...
MISC: https://marc.info/?l=g...
DEBIAN: DSA-4212
SECTRACK: 1040991
BID: 104345
EXPLOIT-DB: 44822
UBUNTU: USN-3671-1
REDHAT: RHSA-2018:1957
REDHAT: RHSA-2018:2147
GENTOO: GLSA-201805-13
SUSE: openSUSE-SU-2020:0598