Gyaran sakewa na tsarin sarrafa tushen rarraba Git 2.38.1, 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 da 2.37.4 an buga, wanda ya gyara. lahani biyu , waɗanda ke bayyana lokacin amfani da umarnin "git clone" a cikin yanayin "-recurse-submodules" tare da wuraren ajiyar da ba a bincika ba kuma lokacin amfani da yanayin hulɗar "git harsashi". Kuna iya bin diddigin sabunta fakitin a cikin rabawa akan shafukan Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD.
- CVE-2022-39253 - Rashin lahani yana ba da damar maharan da ke sarrafa abubuwan da ke cikin ma'ajiyar cloned don samun damar yin amfani da bayanan sirri akan tsarin mai amfani ta hanyar sanya hanyoyin haɗin kai zuwa fayilolin sha'awa a cikin $ GIT_DIR / abubuwan directory na ma'ajiyar cloned. Matsalar tana bayyana ne kawai lokacin cloning a cikin gida (a cikin yanayin "--local", ana amfani da shi lokacin da manufa da bayanan tushen clone suke cikin bangare ɗaya) ko lokacin rufe ma'ajiya mai ɓarna wanda aka kunshe a matsayin submodule a cikin wani wurin ajiya (misali, lokacin da akai-akai ya haɗa da ƙananan kayayyaki tare da umarnin "git clone" --recurse-submodules").
Rashin lahani yana haifar da gaskiyar cewa a cikin yanayin cloning "--local", git yana canja wurin abubuwan da ke cikin $ GIT_DIR / abubuwa zuwa ga jagorar manufa (ƙirƙirar hanyoyin haɗin kai ko kwafin fayiloli), yin watsi da hanyoyin haɗin gwiwa (watau, kamar yadda Sakamakon, hanyoyin haɗin da ba na alama ba ana kwafin su zuwa adireshin da aka yi niyya, amma kai tsaye fayilolin da hanyoyin haɗin ke nunawa). Don toshe raunin, sabbin fitowar git sun haramta cloning ma'ajiyar kayayyaki a cikin yanayin "--local" waɗanda ke ɗauke da alamomin alaƙa a cikin $GIT_DIR/ directory abubuwa. Bugu da ƙari, an canza tsohuwar ƙimar sigar protocol.file.allow zuwa "mai amfani", wanda ke sa ayyukan cloning ta amfani da fayil: // yarjejeniya mara lafiya.
- CVE-2022-39260 - Integer ya cika a cikin aikin split_cmdline () da aka yi amfani da shi a cikin umarnin "git shell". Ana iya amfani da matsalar don kai hari ga masu amfani waɗanda ke da “git shell” azaman harsashi na shiga kuma suna da yanayin hulɗa (an ƙirƙiri fayil ɗin $HOME/git-shell-commands). Yin amfani da raunin na iya haifar da aiwatar da lambar sabani akan tsarin lokacin aika umarni na musamman wanda ya fi girma 2 GB.
source: budenet.ru