The Git team has issued an update to fix a bug in Git for Windows that “affects multi-user hardware where untrusted parties have write access to the same hard disk,” reports The Register. Specifically, the update is concerned with CVE-2022-24765. From the report: Arguably, if an “untrusted party” has write access to a hard disk, then all bets are off when it comes to the nooks and crannies of a PC anyway. In this case, the miscreants would only need to create the folder c:.git, “which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory,” according to NIST. The result is that Git would use the config in the directory.
NIST went on to list potentially vulnerable products, which included Visual Studio. “Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash.” The Git team was