git: remote code execution during clone on case-insensitive file systems (CVE-2021-21300)
On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.
Affected versions
- edge / v3.13: v2.30.1
- v3.12: v2.26.2
- v3.11: v2.24.3
- v3.10: v2.22.4
References
- https://github.blog/2021-03-09-git-clone-vulnerability-announced/
- https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/T/#u
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300