Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.
Muva nje kwamenyezelwa ukushicilelwa kwezinguqulo ezihlukahlukene zokulungisa isistimu yokulawula umthombo esabalalisiwe I-Git isuka kunguqulo 2.38.4 iye kunguqulo 2.30.8, equkethe ukulungiswa okubili okususa ubungozi obaziwayo obuthinta ukulungiselelwa kwe-clone yendawo kanye nomyalo othi "git apply".
Ngakho-ke, kushiwo ukuthi lezi zinguquko zikhishwa zizobhekana nezindaba ezimbili zokuphepha ikhonjwe ngaphansi kwe-CVE-2023-22490 kanye ne-CVE-2023-23946. Kokubili ubungozi buthinta ububanzi bezinguqulo ezikhona futhi abasebenzisi bakhuthazwa kakhulu ukuthi babuyekeze ngokufanele.
Umhlaseli angasebenzisa ukude ukuba sengozini ukuze athole ulwazi. Futhi, umhlaseli angakwazi
sebenzisa ubungozi endaweni ukuze uguqule amafayela.Amalungelo avamile ayadingeka ukuze kusetshenziswe ubungozi. Kokubili ubungozi budinga ukusebenzisana komsebenzisi.
Ubungozi bokuqala obuhlonziwe I-CVE-2023-22490, okuyinto ivumela umhlaseli olawula okuqukethwe kwekhosombe elihlanganisiwe ukuze athole ukufinyelela kudatha ebucayi kusistimu yomsebenzisi. Amaphutha amabili anomthelela ekubeni sengozini:
- Iphutha lokuqala livumela, lapho usebenza nenqolobane eyakhelwe inhloso, ukufeza ukusetshenziswa kokuthuthukiswa kwe-cloning yendawo ngisho nalapho kusetshenziswa okokuthutha okusebenzisana namasistimu angaphandle.
- Iphutha lesibili livumela ukubeka isixhumanisi esingokomfanekiso esikhundleni senkomba ye-$GIT_DIR/izinto, efana nokuba sengozini CVE-2022-39253, evimbe ukubekwa kwezixhumanisi ezingokomfanekiso kuhla lwemibhalo lwezinto ezingu-$GIT_DIR/, kodwa iqiniso lokuthi i-$GIT_DIR/izinto uhla lwemibhalo ngokwalo aluhloliwe lungase lube isixhumanisi esingokomfanekiso.
Kumodi ye-clone yendawo, i-git ihambisa i-$GIT_DIR/izinto kuhla lwemibhalo oluqondiwe ngokususa ireferensi yama-symlink, okubangela ukuthi amafayela okubhekiselwe kuwo akopishwe ngokuqondile kuhla lwemibhalo oluqondiwe. Ukushintshela ekusebenziseni ukulungiselelwa kwe-clone kwasendaweni kwezokuthutha okungezona ezasendaweni kuvumela ubungozi ukuthi busetshenziswe lapho usebenza nezinqolobane zangaphandle (isibonelo, ukufakwa okuphindaphindiwe kwamamojula angaphansi komyalo we-"git clone --recurse-submodules" kungase kuholele ekwenziweni kwekhosombe elinonya. ipakishwe njengemojuli encane kwenye indawo yokugcina).
Ngokusebenzisa inqolobane eyakhiwe ngokukhethekile, i-Git ingakhohliswa ukuthi iyisebenzise nokwenza kahle kwayo kwe-clone yendawo ngisho nalapho usebenzisa ezokuthutha okungezona ezasendaweni.
Nakuba i-Git izokhansela ama-clones endawo umthombo wawo ongu-$GIT_DIR/izinto uhla lwemibhalo luqukethe izixhumanisi ezingokomfanekiso (cf, CVE-2022-39253), izinto ze uhla lwemibhalo ngokwalo lusengaba isixhumanisi esingokomfanekiso.Lokhu kokubili kungahlanganiswa ukuze kufakwe amafayela angenangqondo asekelwe izindlela ohlelweni lwefayela lesisulu ngaphakathi kwendawo yokugcina enonya kanye ne ikhophi esebenzayo, evumela ukukhishwa kwedatha okufana ne
I-CVE-2022-39253.
Ukuba sengozini kwesibili okutholiwe kungukuthi CVE-2023-23946 futhi lokhu kuvumela ukubhala ngaphezulu okuqukethwe kwamafayela ngaphandle kohlu lwemibhalo ukusebenza ngokudlulisa okokufaka okufomethwe ngokukhethekile kumyalo othi "git apply".
Isibonelo, ukuhlasela kungenziwa lapho ama-patches alungiselelwe umhlaseli ecutshungulwa ku-git apply. Ukuze uvimbele amapeshi ekwakhiweni kwamafayela ngaphandle kwekhophi esebenzayo, i-"git apply" ivimba ukucutshungulwa kwamapeshi azama ukubhala ifayela kusetshenziswa ama-symlink. Kodwa lokhu kuvikelwa kuvele kwavinjwa ngokwakha i-symlink kwasekuqaleni.
I-Fedora 36 ne-37 inezibuyekezo zokuphepha esimweni 'sokuhlola' ebuyekeza i-'git' ibe yinguqulo 2.39.2.
Ubungozi bukhona bakhuluma ne-GitLab 15.8.2, 15.7.7, kanye ne-15.6.8 ku-Community Edition (CE) ne-Enterprise Edition (EE).
I-GitLab ihlukanisa ukukhubazeka njengokubalulekile ngoba i-CVE-2023-23946 ivumela ukukhishwa kwekhodi yohlelo engafanele endaweni ye-Gitaly (isevisi ye-Git RPC).
Ngasikhathi sinye, iPython eshumekiwe izoba Buyekeza kunguqulo 3.9.16 ukuze ulungise ubungozi obuningi.
Okokugcina Kulabo abathanda ukwazi kabanzi ngayo, ungalandela ukukhishwa kwezibuyekezo zephakheji ekusabalaliseni emakhasini we Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch y I-FreeBSD.
Uma kungenakwenzeka ukufaka isibuyekezo, kuyatuswa njengendlela yokusebenza ukuze ugweme ukusebenzisa i-“git clone” ngenketho ethi “-recurse-submodules” kumakhosombe angathenjwa, futhi ungasebenzisi imiyalo ethi “git apply” kanye nethi “git am”. ngekhodi engaqinisekisiwe.