Repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.
Created git tracking bugs for this issue: Affects: fedora-all [bug 2280422]
Created rubygem-dynect_rest tracking bugs for this issue: Affects: epel-all [bug 2280423] Created rubygem-rouge tracking bugs for this issue: Affects: fedora-all [bug 2280424] Created rubygem-stringex tracking bugs for this issue: Affects: fedora-all [bug 2280425] Created swiftlint tracking bugs for this issue: Affects: fedora-all [bug 2280426]
Just reading the GH announcement [1], the heading states "Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution". It is interesting that the "case-insensitive filesystems" is not mentioned anywhere here. To me this means that most Linux systems are not affected, which might be interesting information for RH users. [1]: https://github.blog/2024-05-14-securing-git-addressing-5-new-vulnerabilities/#recursive-clones-on-case-insensitive-filesystems-that-support-symlinks-are-susceptible-to-remote-code-execution-cve-2024-32002-critical
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4083 https://access.redhat.com/errata/RHSA-2024:4083
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4368 https://access.redhat.com/errata/RHSA-2024:4368
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:4579 https://access.redhat.com/errata/RHSA-2024:4579
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:6028 https://access.redhat.com/errata/RHSA-2024:6028
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:6027 https://access.redhat.com/errata/RHSA-2024:6027
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:6610 https://access.redhat.com/errata/RHSA-2024:6610