Scheduled updates to GitHub Enterprise Server with patched versions of Git.Ĭredit for CVE-2023-22490 goes to yvvdwf, and credit for CVE-2023-23946 goes to Joern Schneeweisz of GitLab.Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git.Scheduled a GitHub Desktop release for later today, February 14, that prevents the exploitation of this vulnerability.Implemented mitigation steps to prevent from being used as an attack vector in CVE-2023-22490 and CVE-2023-23946.In order to protect users against these attacks, GitHub has taken proactive steps. Avoid applying patches that create a symbolic link and a file beyond that link. If you are unsure about whether or not it is safe to apply a patch, you can inspect its contents with git apply -stat. gitmodules file to ensure that it does not contain suspicious module URLs. If submodules are required by your workflow, you can clone each layer of submodules iteratively after inspecting each. Avoid running git apply / git am on input from untrusted sources.Avoid running git clone with -recurse-submodules against untrusted repositories.If you can’t update immediately, reduce your risk by taking the following steps: The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.2. This can be leveraged to write arbitrary files on a victim’s filesystem when applying malicious patches from untrusted sources. However, this mechanism can be tricked when the malicious patch creates that symbolic link in the first place. In order to prevent malicious patches from creating files outside of the working copy, git apply rejects patches which attempt to write a file beyond a symbolic link. Git allows for applying arbitrary patches to your repository’s history with git apply. These two may be combined to include arbitrary files based on known paths from a victim’s filesystem into the clone’s working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. However, the top-level $GIT_DIR/objects directory may itself be a symbolic link. Git will abort clones from repositories whose $GIT_DIR/objects directory contains a symbolic link. When cloning a local repository, however, Git instead uses a separate local clone optimization copying files directly from the source to destination.Ī specially-crafted repository can trick Git into using its local clone optimization when using a non-local transport. When cloning a repository, Git selects and uses a transport mechanism appropriate for the URL scheme of your clone. These affect Git’s local clone optimization, as well as git apply, respectively. Today, the Git project released new versions to address a pair of security vulnerabilities, ( CVE-2023-22490 and CVE-2023-23946) that affect versions 2.39.1 and older.
0 Comments
Leave a Reply. |