←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
348 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0s | source
Show context
acheong08 ◴[08 Jul 25 22:20 UTC] No.44504558[source]
Reproduced the issue after a bit: https://github.com/acheong08/CVE-2025-48384 Then immediately went to update my git version. Still not up on Arch yet. Will refrain from pulling anything but I bet it'll take quite a while for most people to upgrade. Putting it in any reasonable popular repo where there are perhaps automated pulls will be interesting.
replies(2): >>44504609 #>>44509460 #
orblivion ◴[08 Jul 25 22:27 UTC] No.44504609[source]
So this was disclosed before patching? With all of the alarming "here's how we can pwn your machine" posts turning out to be months after the fact, I figured by now that these blog posts all happen after all the distros have long patched it.

It seems like it would be appropriate to make it clear "this is important now" vs "don't worry you probably already patched this" in the headline to save our time for those who aren't just reading these posts out of interest.

replies(1): >>44504733 #
acheong08 ◴[08 Jul 25 22:50 UTC] No.44504733[source]
Commits fixing the bug date back around 3 or 4 weeks. The patched release came 3 weeks ago. Perhaps some parties weren't informed that it's security critical (Homebrew, Arch, etc) and are now scrambling
replies(3): >>44504804 #>>44505793 #>>44505977 #
1. dgl ◴[09 Jul 25 02:57 UTC] No.44505977{3}[source]
I'm not privy to the exact communications that happened, but per the Ubuntu changelog they prepared a patch a week ago[1] (which is about the normal timeline for notification per[2]). Homebrew is not on the distros list, so likely wouldn't have got an early notification. Arch is, but remember "The Arch Security Team is a group of volunteers"[3].

[1]: https://launchpad.net/ubuntu/+source/git/1:2.43.0-1ubuntu7.3

[2]: https://oss-security.openwall.org/wiki/mailing-lists/distros

[3]: https://wiki.archlinux.org/title/Arch_Security_Team