These overflows may be triggered via a malicious. The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names. gitattributes file(s) within your repository. Gitattributes are used to define unique attributes corresponding to paths in your repository.
#GITHUB DESKTOP GITLAB CODE#
This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive. This vulnerability can be triggered directly via git log -format. When processing one of the padding operators (for example, %(, etc.) an integer overflow can occur when a large offset is given). The first set of updates concern Git’s commit-formatting mechanism, used to display arbitrary information about commits, as in git log -format. The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI. Fixes were authored by engineers from the GitLab Security Research Team, as well as GitHub Engineers, and members of the git-security mailing list.Ī complete copy of the report (along with a variety of issues that weren’t deemed to have security implications) is available here. This audit was sponsored by the Open Source Technology Improvement Fund (OSTIF). Both were also found as part of an audit of the Git codebase conducted by X41.
#GITHUB DESKTOP GITLAB UPGRADE#
Both may result in arbitrary code execution, so users should upgrade immediately. The former can be used to perform arbitrary heap writes, while the latter can be used for arbitrary reads, too. The first two vulnerabilities affect Git’s commit formatting mechanism and. Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953. Today, the Git project released new versions to address a pair of security vulnerabilities, CVE-2022-41903, and CVE-2022-23521, that affect versions 2.39 and older.
0 kommentar(er)
