Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.
Munguva pfupi yapfuura kubudiswa kweshanduro dzakasiyana-siyana dzokururamisa kwakaziviswa distributed source control system Git kutenderera kubva shanduro 2.38.4 kune shanduro 2.30.8, ine zvigadziriso zviviri zvinobvisa kusadzivirirwa kunozivikanwa kunokanganisa kugadziridzwa kwe clone yemunharaunda uye "git apply" murairo.
Sezvo zvakadaro, zvinorehwa kuti izvi zvekugadzirisa zvinobudiswa ndeye kugadzirisa nyaya mbiri dzekuchengetedza yakaonekwa pasi peCVE-2023-22490 uye CVE-2023-23946. Zvese zviri zviviri kusasimba zvinokanganisa zviripo vhezheni siyana uye vashandisi vanokurudzirwa zvakanyanya kugadzirisa zvinoenderana.
Anorwisa anogona kushandisa kure kure kusagadzikana kuti aone ruzivo. Uyezve, munhu anorwisa anogona
shandisa njodzi munzvimbo yako kugadzirisa mafaera.Ropafadzo dzakajairwa dzinodiwa kushandisa kusasimba. Zvose zvisizvo zvinoda kushandiswa kwevashandisi.
Chekutanga chakaonekwa kusazvibata ndiko CVE-2023-22490, izvo inobvumira munhu anorwisa anodzora zviri mukati meiyo cloned repository kuti awane ruzivo rwe data inonzwisisika pahurongwa hwemushandisi. Zvikanganiso zviviri zvinoita kuti kuve panjodzi:
- Chikanganiso chekutanga chinobvumira, kana uchishanda nechinangwa-chakavakwa repository, kuti uwane kushandiswa kwekonikoni optimizations yemunharaunda kunyange kana uchishandisa chifambiso chinopindirana nekunze masisitimu.
- Chikanganiso chechipiri chinobvumira kuisa chinongedzo chekufananidzira pachinzvimbo cheiyo $GIT_DIR/zvinhu dhairekitori, yakafanana nenjodzi CVE-2022-39253, iyo yakavharira kuiswa kwechiratidzo chekubatanidza mu $GIT_DIR/zvinhu dhairekitori, asi chokwadi chekuti $GIT_DIR/zvinhu. dhairekitori pacharo harina kutariswa rinogona kunge riri rekufananidzira link.
Mune yemunharaunda clone modhi, git inofambisa $GIT_DIR/zvinhu kune inotangwa dhairekitori nekudzikisira symlinks, zvichiita kuti mafaera akanyorwa akopwe zvakananga kune chinangwa dhairekitori. Kuchinjira kushandisa ma clone optimizations epanzvimbo isiri-yenzvimbo inobvumira kusazvibata kuti kushandiswe kana uchishanda ne ekunze repositori (semuenzaniso, inodzokorodza kuisirwa ma submodules ne "git clone --recurse-submodules" murairo zvinogona kutungamira mukuumbwa kwenzvimbo yakaipa. yakarongedzwa se submodule mune imwe repository).
Uchishandisa yakanyatsogadzirwa repository, Git inogona kunyengerwa kushandisa yayo yemunharaunda clone optimization kunyangwe uchishandisa isiri yemuno chekufambisa.
Kunyangwe Git ichizodzima ma clones emunharaunda ayo anowanikwa $GIT_DIR/zvinhu dhairekitori rine zvinongedzo zvinongedzo (cf, CVE-2022-39253), zvinhu zve dhairekitori pachayo rinogona kuramba riri rekufananidzira link.Izvi zviviri zvinogona kusanganiswa kuti zvibatanidze mafaera anoenderana nzira mune yeakabatwa faira system mukati meiyo yakaipa repository uye iyo kushanda kopi, kubvumira data exfiltration zvakafanana
CVE-2022-39253.
Kusagadzikana kwechipiri kwaonekwa ndiko CVE-2023-23946 uye izvi zvinobvumira kunyora pamusoro zviri mukati memafaira kunze kwedhairekitori kushanda nekupfuudza yakanyatso kurongeka kune "git shandisa" murairo.
Semuenzaniso, kurwiswa kunogona kuitwa kana zvigamba zvakagadzirirwa neanorwisa zvichigadziriswa mugit inoshanda. Kudzivirira zvigamba kubva pakugadzira mafaera kunze kwekopi inoshanda, "git shandisa" inovhara kugadzirisa kwezvigamba zvinoedza kunyora faira uchishandisa symlinks. Asi dziviriro iyi yakave yakatenderedzwa nekugadzira symlink pakutanga.
Fedora 36 uye 37 vane zvigadziriso zvekuchengetedza mune 'yekuyedza' mamiriro iyo inovandudza 'git' kune shanduro 2.39.2.
Vulnerabilities zvakare vanotaura neGitLab 15.8.2, 15.7.7, uye 15.6.8 muCommunity Edition (CE) uye Enterprise Edition (EE).
GitLab inoronga kusazvibata sekukosha nekuti CVE-2023-23946 inobvumira kuitiswa kwekodhi chirongwa kodhi munzvimbo yeGitaly (Git RPC sevhisi).
Panguva imwecheteyo, yakadzikwa Python ichave Gadziridza kune vhezheni 3.9.16 kuti ugadzirise zvimwe zvinokanganisa.
Finalmente Kune vanoda kuziva zvakawanda nezvazvo, unogona kutevera kuburitswa kwezvigadziriso zvepakeji mukugovera pamapeji e Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch y FreeBSD.
Kana zvisingaite kuisa inogadziridza, zvinokurudzirwa sechishandiso kudzivirira kumhanya "git clone" ne "-recurse-submodules" sarudzo pane isina kuvimbika repositori, uye kusashandisa "git shandisa" uye "git am" mirairo. ine kodhi isina kusimbiswa.