This is a TLDR of the git bug.
There was a bug in git that affected the clone command.
What’s the bug?
A malformed git clone ssh://.. command would allow user to insert an executable within the URL and it would execute it.
Am I affected?
Easiest way to check is to run this simple command:
1 | git clone ssh://-oProxyCommand=notepad.exe/ temp |
Notepad opens? You’re vulnerable.
What you want is this:
1 | C:\git_ws> git clone ssh://-oProxyCommand=notepad.exe/ temp Cloning into 'temp'... fatal: strange hostname '-oProxyCommand=notepad.exe' blocked |
Visual Studio 2017
If you are running Visual Studio 2017, make sure you have version 15.3.26730.8 or higher.
I’m vulnerable. Now what.
- Update Visual Studio through
Tools > Extensions and updates.... - Update git
Stay safe my friends.