| Summary: | git-lfs security update CVE-2021-21237 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED INVALID | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | ouaurelien |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2021-21237 | ||
| Whiteboard: | |||
| Source RPM: | git-lfs-2.12.1-1.mga8.src.rpm | CVE: | CVE-2021-21237 |
| Status comment: | |||
|
Description
Zombie Ryushu
2021-02-19 14:55:17 CET
Zombie Ryushu
2021-02-19 14:55:33 CET
CVE:
(none) =>
CVE-2021-21237 (In reply to Zombie Ryushu from comment #0) > Windows, if Git LFS operates on a malicious repository with a git.bat or > git.exe file in the current directory, that program would be executed, > permitting the attacker to execute arbitrary code. This does not affect Unix > systems. This is the result of an incomplete fix for CVE-2020-27955. This > issue occurs because on Windows, Go includes (and prefers) the current > directory when the name of a command run does not contain a directory > separator. Other than avoiding untrusted repositories or using a different > operating system, there is no workaround. This is fixed in v2.13.2. This does not affect Unix systems. Bug for Windows systems. CC:
(none) =>
ouaurelien |