Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
JGit itself is not affected by this vulnerability. This release implements validation of .gitmodules files in JGit to protect unguarded tools.
- BaseReceivePack: Validate incoming .gitmodules files and reject submodule urls starting with '-' that could pass as options to an unguarded tool
- ObjectChecker: Report .gitmodules files found in the pack
- SubmoduleAddCommand: Reject submodule URIs that look like command line options