Git Security Update for Arch Linux
Posted on: 10/10/2018 07:06 AM

Updated git packages has been released for Arch Linux

Git Security Update for Arch Linux

Arch Linux Security Advisory ASA-201810-7

Severity: High
Date : 2018-10-09
CVE-ID : CVE-2018-17456
Package : git
Type : arbitrary code execution
Remote : Yes
Link :


The package git before version 2.19.1-1 is vulnerable to arbitrary code


Upgrade to 2.19.1-1.

# pacman -Syu "git>=2.19.1-1"

The problem has been fixed upstream in version 2.19.1.




A security issue has been found in git versions prior to 2.19.1, which
allows an attacker to execute arbitrary code by crafting a malicious
.gitmodules file in a project cloned with --recurse-submodules.
When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess. If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as an
option. This can lead to executing an arbitrary script shipped in the
superproject as the user who ran "git clone".


A remote attacker can execute arbitrary code on the affected host by
convincing a local user to clone a specially crafted git repository and
its sub-modules.


Printed from Linux Compatible (