[ASA-201807-2] git-annex: multiple issues
Jelle van der Waa
jelle at archlinux.org
Wed Jul 4 11:50:13 UTC 2018
Arch Linux Security Advisory ASA-201807-2
Date : 2018-07-04
CVE-ID : CVE-2018-10857 CVE-2018-10859
Package : git-annex
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-725
The package git-annex before version 6.20180626-1 is vulnerable to
multiple issues including arbitrary filesystem access and information
Upgrade to 6.20180626-1.
# pacman -Syu "git-annex>=6.20180626-1"
The problems have been fixed upstream in version 6.20180626.
- CVE-2018-10857 (arbitrary filesystem access)
Some uses of git-annex were vulnerable to a private data exposure and
exfiltration attack. It could expose the content of files located
outside the git-annex repository, or content from a private web server
on localhost or the LAN.
- CVE-2018-10859 (information disclosure)
A malicious server for a special remote could trick git-annex into
decrypting a file that was encrypted to the user's gpg key. This attack
could be used to expose encrypted data that was never stored in git-
A remote attacker is able to read arbitrary files on the filesystem or
decrypt encrypted files by modifying the git-annex repository.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the arch-security