Post Syndicated from original https://lwn.net/Articles/891112/

Git maintainer Junio C Hamano has
announced the
release of v2.35.2, along with multiple other Git versions
(“v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
v2.34.2“), to fix a security problem that can happen on multi-user
machines (CVE-2022-24765).
This GitHub blog
post has more details, though the GitHub service itself is not
vulnerable. The description in the announcement seems a bit
Windows-centric, but Linux multi-user systems are apparently vulnerable as well:

On multi-user machines, Git users might find themselves
unexpectedly in a Git worktree, e.g. when another user created a
repository in `C:\.git`, in a mounted network drive or in a
scratch space. Merely having a Git-aware prompt that runs `git
status` (or `git diff`) and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an
editor or IDE such as VS Code or Atom, will potentially run
commands defined by that other user.