![]() ![]() (optional, but easier to follow this) A MODX Cloud account, or a host that supports gitįor the purpose of this tutorial, we’re assuming you will use MODX Cloud.Things you’ll need to access or be familiar with: While this document may seem intimdating at first, it really is a simple copy/paste command line exercise. It acts as a CLI tool, like Composer, for working with MODX. Fixes were written by Patrick Steinhardt of GitLab, with additional help from members of the Git security mailing list.Ĭredit for finding CVE-2022-41953 goes to 俞晨东.Gitify brings two-way sync of data typically stored in the MODX database, making it versionable with git. Credit for CVE-2022-23521 goes to Markus Vervier, and Eric Sesterhenn of X41 D-Sec, whose work was sponsored by OSTIF. Scheduled updates to GitHub Enterprise Server 1 with patched versions of Git.Ĭredit for CVE-2022-41903 goes to Joern Schneeweisz of GitLab. ![]() Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git.Scheduled a GitHub Desktop release for later today, January 17, that prevents the exploitation of this vulnerability.Implemented mitigation steps to prevent from being used as an attack vector in CVE-2022-41903, and CVE-2022-23521.Scanned all repositories on to confirm that no evidence exists to conclude that GitHub was used as a vector to exploit any of these vulnerabilities.In order to protect users against these attacks, GitHub has taken proactive steps. Avoid using Git GUI on Windows when cloning untrusted repositories.If you expose git archive via git daemon, consider disabling it if working with untrusted repositories by running git config -global daemon.uploadArch false.Avoid invoking the -format mechanism directly with the known operators, and avoid running git archive in untrusted repositories.If you can’t update immediately, reduce your risk by taking the following steps: The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.1. Like the above, this integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.Īfter cloning a repository, Git GUI automatically applies some post-processing to the resulting checkout, including running a spell-checker, if one is available.Ī Windows-specific vulnerability causes Git GUI to look for the spell-check in the worktree that was just checked out, which may result in running untrusted code. Successfully exploiting this vulnerability depends on the location of the. gitattributes from a file, but not when parsing it from the index. However, Git automatically splits lines at 2KB when reading. These overflows may be triggered via a malicious. The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names. ![]() gitattributes file(s) within your repository. Gitattributes are used to define unique attributes corresponding to paths in your repository. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive. ![]() This vulnerability can be triggered directly via git log -format. When processing one of the padding operators (for example, %(, etc.) an integer overflow can occur when a large offset is given). The first set of updates concern Git’s commit-formatting mechanism, used to display arbitrary information about commits, as in git log -format. The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI. Fixes were authored by engineers from the GitLab Security Research Team, as well as GitHub Engineers, and members of the git-security mailing list.Ī complete copy of the report (along with a variety of issues that weren’t deemed to have security implications) is available here. This audit was sponsored by the Open Source Technology Improvement Fund (OSTIF). Both were also found as part of an audit of the Git codebase conducted by X41. Both may result in arbitrary code execution, so users should upgrade immediately. The former can be used to perform arbitrary heap writes, while the latter can be used for arbitrary reads, too. The first two vulnerabilities affect Git’s commit formatting mechanism and. Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953. Today, the Git project released new versions to address a pair of security vulnerabilities, CVE-2022-41903, and CVE-2022-23521, that affect versions 2.39 and older. ![]()
0 Comments
Leave a Reply. |