If you are running a CI system that uses git to check out software for builds, and if that environment uses "git submodule add" to bring in files from the filesystem, then you might be affected by this change.
As of git v2.38.1 and the back port of the associated patch to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4, git will now refuse to clone repositories via the --local clone optimization if there are symbolic links present within the objects directory. The vulnerability, CVE-2022-39253, describes an attack that traverses symbolic links to break a security boundary. Cory Snider of Mirantis gets credit for identifying this issue.
https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253 https://lore.kernel.org/lkml/[email protected]/
The Github security issue GHSA-3wp6-j8xr-qw85 provides a few more details, noting that the malicious actor can use this misfeature to attack "docker build" and "podman".
https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
The change in behavior is reported as bug 1993586 to Ubuntu's "Launchpad", and readers there have pinpointed the Ubuntu versions that have this change. The bug is closed as "invalid" as the change in behavior is as intended.
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1993586
If your build is broken as a result of this change - noted by Jérôme Petazzoni to affect at least some Arch AUR packages and Debian apt packages - you will need to make changes. Here are some examples.
https://twitter.com/jpetazzo/status/1583112279012257797
Microsoft fixed their "go-infra" repository by adding the option
-c protocol.file.allow=always
to their git invocation in their test infra.
https://github.com/microsoft/go-infra/pull/71/files
The stack project of Haskell set a global variable with
git config --global protocol.file.allow always
in their
integration test system. The "spack" package manager did
likewise.
https://github.com/commercialhaskell/stack/pull/5909/files https://github.com/spack/spack/pull/33429
As of this writing, this Github search for the error string has 13 open issues, so there's some set of people who are chasing this down right now to get their build systems back online.
https://github.com/search?q=%22fatal%3A+transport+%27file%27+not+allowed%22&type=issues
I am working on getting GitExtensions working again with file submodules. See https://github.com/gitextensions/gitextensions/discussions/10426
Posted by: Jay Asbury | 11/23/2022 at 10:07 AM