Git Submodule Vulnerability Announced

A vulnerability identified as CVE-2018-17456 in Git allowed arbitrary code execution during the cloning of malicious repositories, prompting the release of Git v2.19.1 and various backports as a remedy. Users are advised to update their Git clients to avoid exposure, particularly when handling untrusted submodules, with specific instructions provided for GitHub Desktop and Atom users to secure their applications. Although GitHub.com and GitHub Enterprise are not directly impacted, they have implemented measures to detect and reject malicious repositories, with updated GitHub Enterprise versions releasing on October 9. The vulnerability, akin to a previous one, involved an option-injection attack related to submodules, and was responsibly disclosed to allow time for remediation before becoming public. The Git community, in collaboration with GitHub developers, audited and implemented stricter validation checks on .gitmodules values, enhancing detection capabilities for potentially harmful submodules. Additionally, JGit and libgit2 were found unaffected due to their different handling of submodules, and a comprehensive scan of GitHub repositories revealed no active exploitation of this vulnerability.