The Git project recommends to avoid working in untrusted repositories, and instead to clone them first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository.
Created git tracking bugs for this issue: Affects: fedora-all [bug 2280450] Created rubygem-dynect_rest tracking bugs for this issue: Affects: epel-all [bug 2280447] Created rubygem-rouge tracking bugs for this issue: Affects: fedora-all [bug 2280448] Created rubygem-stringex tracking bugs for this issue: Affects: fedora-all [bug 2280451] Created swiftlint tracking bugs for this issue: Affects: fedora-all [bug 2280449]
Created git tracking bugs for this issue: Affects: fedora-all [bug 2280456] Created rubygem-dynect_rest tracking bugs for this issue: Affects: epel-all [bug 2280453] Created rubygem-rouge tracking bugs for this issue: Affects: fedora-all [bug 2280454] Created rubygem-stringex tracking bugs for this issue: Affects: fedora-all [bug 2280457] Created swiftlint tracking bugs for this issue: Affects: fedora-all [bug 2280455]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4083 https://access.redhat.com/errata/RHSA-2024:4083
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4368 https://access.redhat.com/errata/RHSA-2024:4368