On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.
Created attachment 1760809 [details] git upstream patch against v2.17.6
Created git tracking bugs for this issue: Affects: fedora-all [bug 1937166]
Mitigation: If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources.
(In reply to Huzaifa S. Sidhpurwala from comment #9) > Statement: > > This vulnerability affects case-insensitive file systems, therefore typical > Linux scenarios should be safe. However as per upstream exploitation is even > possible on Linux under certain circumstances. Those circumstance would be running git on a case-insensitive filesystem with support for symbolic links when certain clean/smudge filters are configured globally (e.g. Git LFS), correct? I know when I read the announcement earlier today I didn't think many Fedora Linux users should be vulnerable to this issue.
Acknowledgments: Name: Matheus Tavares
Statement: This vulnerability affects case-insensitive file systems, therefore typical Linux scenarios should be safe. However as per upstream exploitation is even possible on Linux under certain circumstances. Red Hat CodeReady Studio 12 is not affected by this flaw because Jboss Forge Addon uses jgit which is a different (Java) git implementation than git itself.