Draft: Workaround for a security check introduced with Git 2.45.1 (!4585) · Merge requests · LHCb / LHCb

Marco Clemencic requested to merge workaround-for-latest-git-protection into master May 28, 2024

To mitigate the vulnerability CVE-2024-32004, when cloning from a local repository, the directory have to be owned by the user doing the cloning or explicitly trusted. This change temporarily trusts the file-content-metadata repository in CVMFS before cloning it, if needed.

This is a possible way to address the new check in Git. Other options are:

tell everybody to call git config --global --add safe.directory /cvmfs/lhcb-condb.cern.ch/git-conddb/file-content-metadata.git (or do it automatically once in the jobs)
make a local copy of /cvmfs/lhcb-condb.cern.ch/git-conddb/file-content-metadata.git and clone from there
clone from https://gitlab.cern.ch/lhcb-conddb/file-content-metadata.git

IMHO, this is ugly and probably an overkill (do we need to clone the git user global configuration?), but it does the job. I would prefer a different approach, like cloning from Gitlab or tell our jobs to trust the directory we know can be trusted.

/ccp @cburr @msaur

Edited May 29, 2024 by Christopher Rob Jones

Draft: Workaround for a security check introduced with Git 2.45.1

Merge request reports