CVE-2024-32465

Publication date 14 May 2024

Last updated 19 September 2024


Ubuntu priority

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Status

Package Ubuntu Release Status
git 24.04 LTS noble
Fixed 1:2.43.0-1ubuntu7.1
23.10 mantic
Fixed 1:2.40.1-1ubuntu1.1
22.04 LTS jammy
Fixed 1:2.34.1-1ubuntu1.11
20.04 LTS focal
Fixed 1:2.25.1-1ubuntu3.12
18.04 LTS bionic
16.04 LTS xenial
Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro