Kuchongwe ubuthathaka obubini kwi-Git ekhokelela ekuvuzeni kwedatha kunye nokubhala ngaphezulu

Darkcrizt

Imizuzu ye4

Umngcipheko

Ukuba zixhatshaziwe, ezi ziphene zinokuvumela abahlaseli ukuba bafumane ukufikelela okungagunyaziswanga kulwazi olubuthathaka okanye ngokubanzi babangele iingxaki.

Mva nje ukupapashwa kweenguqulelo ezahlukeneyo zokulungisa kwabhengezwa inkqubo yolawulo lomthombo osasaziweyo I-Git eqala kwinguqulo 2.38.4 ukuya kwinguqulo 2.30.8, equlathe izilungiso ezimbini ezisusa ubuthathaka obaziwayo obuchaphazela ukwenziwa kwe-clone yasekuhlaleni kunye nomyalelo othi "git apply".

Ngaloo ndlela, kukhankanyiwe ukuba ezi zikhupholo zogcino kukujongana nemiba emibini yokhuseleko ichongiwe phantsi kweCVE-2023-22490 kunye neCVE-2023-23946. Bobabini ubuthathaka buchaphazela uluhlu olukhoyo lweenguqulelo kwaye abasebenzisi bayakhuthazwa ngamandla ukuba bahlaziye ngokufanelekileyo.

Umhlaseli unokude asebenzise ubuthathaka ukuze abone ulwazi. Kwakhona, umhlaseli unako
sebenzisa ubuthathaka ekuhlaleni ukukhohlisa iifayile.

Amalungelo aqhelekileyo ayafuneka ukuze kusetyenziswe ubuthathaka. Zombini ezibuthathaka zifuna ukusebenzisana komsebenzisi.

Ubuthathaka bokuqala obuchongiweyo bu I-CVE-2023-22490, ethi ivumela umhlaseli olawula umxholo wogcino oluhlanganisiweyo ukufumana ufikelelo kulwazi olubuthathaka kwinkqubo yomsebenzisi. Iziphene ezibini zinegalelo ekubeni sesichengeni:

  • Isiphoso sokuqala sivumela, xa usebenza kunye ne-repository-built-built, ukufezekisa ukusetyenziswa kwe-cloning optimizations yendawo nangona usebenzisa isithuthi esisebenzisana neenkqubo zangaphandle.
  • Isiphoso sesibini sivumela ukubeka ikhonkco elingumfuziselo endaweni ye- $GIT_DIR/i-directory yezinto, efana nokuba sesichengeni CVE-2022-39253, ethintele ukubekwa kwamakhonkco omfuziselo kwi- $GIT_DIR/i-directory yezinto, kodwa into yokuba i-$GIT_DIR/izinto. uvimba weefayili ngokwawo awukhange ukhangelwe inokuba likhonkco lomfuziselo.

Kwimowudi ye-clone yendawo, i-git ihambisa i-$GIT_DIR/izinto kulawulo ekujoliswe kulo ngokonakalisa ii-symlinks, ibangela ukuba iifayile ezibonisiweyo zikotshwe ngokuthe ngqo kulawulo ekujoliswe kulo. Ukutshintshela ekusebenziseni ulungelelwaniso lwe-clone yasekhaya kuthutho olungelulo olwasekuhlaleni kuvumela ukuba sesichengeni ukuba kusetyenziswe xa kusetyenzwa ngoovimba bangaphandle (umzekelo, ukuphinda kufakwe imodyuli kunye nomyalelo we "git clone --recurse-submodules" kunokukhokelela kubumbano logcino olukhohlakeleyo. ipakishwe njengemodyuli engaphantsi kwenye indawo yokugcina).

Ukusebenzisa indawo yokugcina eyilwe ngokukodwa, iGit inokuqhathwa ukuba iyisebenzise ufezekiso lweclone yasekhaya naxa usebenzisa isithuthi esingesiso esasekuhlaleni.
Nangona i-Git iya kurhoxisa ii-clones zasekhaya ezinomthombo we-$GIT_DIR/izinto Uluhlu luqulathe amakhonkco omfuziselo (cf, CVE-2022-39253), izinto ze uvimba weefayili ngokwawo usenokuba likhonkco lomfuziselo.

Ezi zimbini zinokudibaniswa ukubandakanya iifayile ezichaseneyo ezisekelwe kwi iindlela kwisixokelelwano sefayile yexhoba ngaphakathi kwendawo yokugcina enobungozi kunye ne ikopi esebenzayo, evumela ukukhutshelwa kwedatha efana ne
I-CVE-2022-39253.

Ubuthathaka besibini buchongiwe CVE-2023-23946 kwaye oku kuvumela ukubhala ngaphezulu umxholo weefayile ngaphandle kolawulo ukusebenza ngokudlulisa igalelo elifomathwe ngokukodwa kumyalelo othi "git apply".

Ngokomzekelo, uhlaselo lunokwenziwa xa iipatches ezilungiselelwe ngumhlaseli zicutshungulwa kwi-git. Ukuthintela iipetshi ekwenzeni iifayile ngaphandle kwekopi esebenzayo, "git apply" iibhloko zokusetyenzwa kweepetshi ezizama ukubhala ifayile kusetyenziswa ii-symlinks. Kodwa olu khuselo luye lwajikeleziswa ngokwenza i-symlink kwindawo yokuqala.

I-Fedora 36 kunye ne-37 inohlaziyo lokhuseleko kwimeko 'yokuvavanya' ehlaziya 'git' kuguqulelo 2.39.2.

Ubuthathaka nabo bajongana ne-GitLab 15.8.2, 15.7.7, kunye ne-15.6.8 kuHlelo loLuntu (CE) kunye noHlelo loShishino (EE).

I-GitLab ihlela ubuthathaka njengento ebalulekileyo kuba i-CVE-2023-23946 ivumela ukuphunyezwa kwekhowudi yeprogram engafanelekanga kwindawo ye-Gitaly (inkonzo ye-Git RPC).
Ngexesha elifanayo, iPython edibeneyo iya kuba Hlaziya kwinguqulelo 3.9.16 ukulungisa ubuthathaka obungakumbi.

Gqibela Kwabo banomdla wokwazi ngakumbi ngayo, ungalandela ukukhutshwa kohlaziyo lwephakheji kunikezelo kumaphepha e DebianUbuntuRHELSUSE/openSUSEFedoraigopheFreeBSD.

Ukuba akunakwenzeka ukufaka uhlaziyo, kuyacetyiswa njengendlela yokusebenza ukunqanda ukusebenzisa i-“git clone” ngokhetho lwe-“-recurse-submodules” kwiindawo zokugcina ezingathenjwayo, kwaye ungasebenzisi “git apply” kunye nemiyalelo ye-“git am”. ngekhowudi ayiqinisekiswanga.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.