Hide Forgot
On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended for all users and another user created a repository in `/scratch/.git`. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user via `/scratch/.git/config`.
Per https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ the issue has been fixed in git-2.30.3, git-2.31.2, git-2.32.1, git-2.33.2, git-2.34.2, git-2.35.2, and git-2.36.0-rc2. I pushed 2.36.0.rc2 to rawhide late last night. I'm going to wait just a bit before pushing any fixes to the stable releases. I'd like to be more confident the changes don't cause major problems. It could cause issue for CI workflows, for example.
New releases for each of the maintenance tracks have been made which add the ability to specify 'safe.directory=*' as a broad "escape hatch" from the changes. https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/ is the release announcement. The relevant commits: https://github.com/git/git/commit/e47363e5a8 (t0033: add tests for safe.directory, 2022-04-13) https://github.com/git/git/commit/bb50ec3cc3 (setup: fix safe.directory key not being checked, 2022-04-13) https://github.com/git/git/commit/0f85c4a30b (setup: opt-out of check with safe.directory=*, 2022-04-13)
Created git tracking bugs for this issue: Affects: fedora-all [bug 2078716]
The doc text seems slightly inaccurate. There was no `safe.directory` option to check prior to this release. It also doesn't allow access to the repository by any user. The issue is that the owner of the repository can cause commands to be run for any other user who already has access to the repository (which can occur by just changing into the repository if the user has configured git to show repo info in their shell prompt). Perhaps it could say something like this: A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
marking Services affected/delegated for presence of affected code, however the incidence of this issue actually occurring would appear highly unlikely at best
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2319 https://access.redhat.com/errata/RHSA-2023:2319
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2859 https://access.redhat.com/errata/RHSA-2023:2859
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24765