CVE-2021-29468

Name
CVE-2021-29468
Description
Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patch
MISC https://lore.kernel.org/git/CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw@mail.gmail.com/T/#u
MISC https://cygwin.com/pipermail/cygwin-announce/2021-April/010018.html
CONFIRM https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cygwin:git:*:*:*:*:*:*:*:* git >= None <= 2.31.1-1
cpe:2.3:a:cygwin:git:*:*:*:*:*:*:*:* cygwin-git >= None <= 2.31.1-1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
git edge-main 2.31.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
git edge-main 2.30.2-r0 None fixed
git edge-main 2.26.2-r0 None fixed
git edge-main 2.26.1-r0 None fixed
git edge-main 2.24.1-r0 None fixed
git edge-main 2.19.1-r0 None fixed
git edge-main 2.17.1-r0 None fixed
git edge-main 2.14.1-r0 None fixed
git 3.22-main 2.30.2-r0 None fixed
git 3.22-main 2.26.2-r0 None fixed
git 3.22-main 2.26.1-r0 None fixed
git 3.22-main 2.24.1-r0 None fixed
git 3.22-main 2.19.1-r0 None fixed
git 3.22-main 2.17.1-r0 None fixed
git 3.22-main 2.14.1-r0 None fixed
git 3.21-main 2.30.2-r0 None fixed
git 3.21-main 2.26.2-r0 None fixed
git 3.21-main 2.26.1-r0 None fixed
git 3.21-main 2.24.1-r0 None fixed
git 3.21-main 2.19.1-r0 None fixed
git 3.21-main 2.17.1-r0 None fixed
git 3.21-main 2.14.1-r0 None fixed
git 3.20-main 2.30.2-r0 None fixed
git 3.20-main 2.26.2-r0 None fixed
git 3.20-main 2.26.1-r0 None fixed
git 3.20-main 2.24.1-r0 None fixed
git 3.20-main 2.19.1-r0 None fixed
git 3.20-main 2.17.1-r0 None fixed
git 3.20-main 2.14.1-r0 None fixed
git 3.19-main 2.30.2-r0 None fixed
git 3.19-main 2.26.2-r0 None fixed
git 3.19-main 2.26.1-r0 None fixed
git 3.19-main 2.24.1-r0 None fixed
git 3.19-main 2.19.1-r0 None fixed
git 3.19-main 2.17.1-r0 None fixed
git 3.19-main 2.14.1-r0 None fixed
git 3.12-main 2.26.3-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.12-main 2.26.3-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.11-main 2.24.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.10-main 2.22.5-r0 Natanael Copa <ncopa@alpinelinux.org> fixed