Uhhh, guys? This looks real bad
"GNU Emacs: Multiple Remote Code Execution Vectors on File Open"
https://github.com/califio/publications/blob/main/MADBugs/vim-vs-emacs-vs-claude/Emacs.md
Does it? The attacker needs to be able to control the contents of your .git directory, which is not copied by git clone. Git cloning a repository will not leave you vulnerable, this is why the PoC gets the reproducer with wget.
Getting a git repo without a 'git clone' is a vector for this kind of attack: git hooks can run arbitrary code, so if you copy a .git directory in full from an untrusted source, you're vulnerable. Your security model needs to be that a .git directory can execute arbitrary code. Downloading it, rather than cloning it, is not secure.
In other news, if someone is sitting in your living room, they can unlock your front door from the inside, so your locks must be defective!
Getting a git repo without a 'git clone' is a vector for this kind of attack: git hooks can run arbitrary code, so if you copy a .git directory in full from an untrusted source, you're vulnerable. Your security model needs to be that a .git directory can execute arbitrary code. Downloading it, rather than cloning it, is not secure.
In other news, if someone is sitting in your living room, they can unlock your front door from the inside, so your locks must be defective!
