Arch Linux Security Advisory ASA-201603-20 ========================================== Severity: Critical Date : 2016-03-20 CVE-ID : CVE-2016-2324 Package : git Type : remote code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package git before version 2.7.4-1 is vulnerable to remote code execution. Resolution ========== Upgrade to 2.7.4-1. # pacman -Syu "git>=2.7.4-1" The problem has been fixed upstream in versions 2.4.11, 2.5.5, 2.6.6 and 2.7.4. Workaround ========== None. Description =========== Laël Cellier discovered an integer overflow vulnerability in the path_name() function of git. Impact ====== A remote attacker can execute arbitrary code by crafting a malicious repository and either directly cloning it or getting a local user to clone it. References ========== http://seclists.org/oss-sec/2016/q1/653 https://access.redhat.com/security/cve/CVE-2016-2324