SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apple Xcode Vendors:   Apple
(Apple Issues Fix for Apple Xcode) Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1041119
SecurityTracker URL:  http://securitytracker.com/id/1041119
CVE Reference:   CVE-2018-11233, CVE-2018-11235   (Links to External Site)
Date:  Jun 13 2018
Impact:   Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in Git. A remote user can execute arbitrary code on the target system. A user can obtain portions of system memory. Apple Xcode is affected.

The software does not properly validate submodule "names" supplied via the untrusted .gitmodules file when appending them to the '$GIT_DIR/modules' directory. A remote repository can return specially crafted data to create or overwrite files on the target user's system when the repository is cloned, causing arbitrary code to be executed on the target user's system [CVE-2018-11235].

Etienne Stalmans reported this vulnerability.

A use can exploit an input validation flaw in processing path names on NTFS-based systems to read random memory contents [CVE-2018-11233].

Impact:   A remote user can execute arbitrary code on the target system.

A user can obtain portions of system memory.

Solution:   The Apple has issued a fix for Apple Xcode (9.4.1).

The Apple advisory is available at:

https://support.apple.com/en-us/HT208895

Vendor URL:  support.apple.com/en-us/HT208895 (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (macOS/OS X)

Message History:   This archive entry is a follow-up to the message listed below.
May 29 2018 Git Submodule Name Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC