The Git Project announced Vulnerability-related.DiscoverVulnerability yesterday a critical arbitrary code execution vulnerability in the Git command line client , Git Desktop , and Atom that could allow malicious repositories to remotely execute commands on a vulnerable machine . This vulnerability has been assigned Vulnerability-related.DiscoverVulnerability the CVE-2018-17456 ID and is similar to a previous CVE-2017-1000117 option injection vulnerability . Like the previous vulnerability , a malicious repository can create a .gitmodules file that contains an URL that starts with a dash . By using a dash , when Git clones a repository using the -- recurse-submodules argument , the command will interpret the URL as an option , which could then be used to perform remote code execution on the computer . `` When running `` git clone -- recurse-submodules '' , Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a `` git clone '' subprocess . If the URL field is set to a string that begins with a dash , this `` git clone '' subprocess interprets the URL as an option . This can lead to executing an arbitrary script shipped in the superproject as the user who ran `` git clone '' . '' This vulnerability has been fixed Vulnerability-related.PatchVulnerability in Git v2.19.1 ( with backports in v2.14.5 , v2.15.3 , v2.16.5 , v2.17.2 , and v2.18.1 ) , GitHub Desktop 1.4.2 , Github Desktop 1.4.3-beta0 , Atom 1.31.2 , and Atom 1.32.0-beta3 . The Git Project strongly recommends Vulnerability-related.PatchVulnerability that all users upgrade Vulnerability-related.PatchVulnerability to the latest version of the Git client , Github Desktop , or Atom in order to be protected from malicious repositories .

The Git community has disclosed Vulnerability-related.DiscoverVulnerability a security vulnerability affecting Vulnerability-related.DiscoverVulnerability the clone and submodule commands that could enable remote code execution when vulnerable machines access malicious repositories . The vulnerability , which has been assigned Vulnerability-related.DiscoverVulnerability CVE–2018–17456 by Mitre , has been fixed Vulnerability-related.PatchVulnerability in Git 2.19.1 . To trigger the vulnerability , a malicious repository could forge a .gitmodules containing an URL starting with a dash . This would affect Vulnerability-related.DiscoverVulnerability both git clone -- recurse-submodules and git submodule update -- recursive in that they would recursively pass the URL starting with a dash to a git clone or git submodule subprocess that would interpret the URL as a command option . This could lead to executing an arbitrary command on the local machine . This vulnerability is similar to CVE–2017–1000117 , which also enabled an option-injection attack by forging ssh URLs starting with a dash that would be interpreted as an option by the ssh subprocess executed by git . No exploits are known at the moment . We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild . As shown in the PR fixing Vulnerability-related.PatchVulnerability the vulnerability , submitted by @ joernchen , the fix is quite trivial in itself . Yet , this discovery provided the opportunity for an overall audit of .gitmodules , which led to implementing stricter checks on both paths and URLs found inside of it . As mentioned , the fix for this vulnerability is included in Git 2.19.1 . Additionally , it has been backported Vulnerability-related.PatchVulnerability to versions 2.14.5 , 2.15.3 , 2.16.5 , 2.17.2 , and 2.18.1 . Since git is integrated in GitHub projects such as GitHub Desktop and Atom , those have been patched Vulnerability-related.PatchVulnerability as well , so you will be better off upgrading Vulnerability-related.PatchVulnerability them as soon as possible .

A security flaw affecting Vulnerability-related.DiscoverVulnerability LibreOffice and Apache OpenOffice has been fixed Vulnerability-related.PatchVulnerability in one of the two open-source office suites . The other still appears to be vulnerable Vulnerability-related.DiscoverVulnerability . Before attempting to guess which app has yet to be patched Vulnerability-related.PatchVulnerability , consider that Apache OpenOffice for years has struggled attract more contributors . And though the number of people adding code to the project has grown since last we checked , the project missed its recent January report to the Apache Foundation . The upshot is : security holes are n't being patched Vulnerability-related.PatchVulnerability , it seems . The issue , identified Vulnerability-related.DiscoverVulnerability by security researcher Alex Inführ , is that there 's a way to achieve remote code execution by triggering an event embedded in an ODT ( OpenDocument Text ) file . In a blog post on Friday , Inführ explains Vulnerability-related.DiscoverVulnerability how he found Vulnerability-related.DiscoverVulnerability a way to abuse the OpenDocument scripting framework by adding an onmouseover event to a link in an ODT file . The event , which fires when a user 's mouse pointer moves over the link , can traverse local directories and execute a local Python script . After trying various approaches to exploit the vulnerability , Inführ found Vulnerability-related.DiscoverVulnerability that he could rig the event to call a specific function within a Python file included with the Python interpreter that ships with LibreOffice . `` For the solution I looked into the Python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script , but it is possible to pass parameters as well , '' he said . The exploit was tested on Windows , and should work on Linux , too . Inführ says Vulnerability-related.DiscoverVulnerability he reported Vulnerability-related.DiscoverVulnerability the bug on October 18 and it was fixed Vulnerability-related.PatchVulnerability in LibreOffice by the end of the month . RedHat assigned Vulnerability-related.DiscoverVulnerability it CVE-2018-16858 in mid-November and gave Inführ a disclosure Vulnerability-related.DiscoverVulnerability date of January 31 , 2019 . When he published Vulnerability-related.DiscoverVulnerability on February 1 , in conjunction with the LibreOffice fix notification , OpenOffice still had not been patched Vulnerability-related.PatchVulnerability . Inführ says Vulnerability-related.DiscoverVulnerability he reconfirmed Vulnerability-related.DiscoverVulnerability that he could go ahead with disclosure Vulnerability-related.DiscoverVulnerability even though OpenOffice 4.16 has yet to be fixed Vulnerability-related.PatchVulnerability . His proof-of-concept exploit does n't work with OpenOffice out-of-the-box because the software does n't allow parameters to be passed in the same way as the unpatched version of LibreOffice did . However , he says Vulnerability-related.DiscoverVulnerability that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage . We 're imagining specifically targeted netizens being tricked Attack.Phishing into opening a ZIP file , unpacking an ODT and Python script , and then the ODT document attempting to execute the Python script when the victim rolls their mouse over a link , for instance . The Register tried to reach two OpenOffice contributors to find out what 's going on . We 've not heard back . According to Inführ , OpenOffice users can mitigate the risk by removing or renaming the pythonscript.py file in the installation folder .