Kururamisa kuburitswa kweiyo yakagoverwa sosi control system Git 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7 uye 2.30.8 zvakaburitswa, izvo zvinogadzirisa kusasimba kuviri, kunokanganisa optimizations yemunharaunda cloning uye "git apply" murairo. Unogona kuteedzera kuburitswa kwepakeji zvigadziriso mukugovera pamapeji eDebian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD. Kana zvisingaite kuisa iyo yekuvandudza, zvinokurudzirwa sechishandiso kudzivirira kuita "git clone" mashandiro ne "--recurse-submodules" sarudzo pane isina kuvimbika repositori, uye kudzivirira kushandisa "git shandisa" uye " git am" inoraira pane isina kuvimbika repositori.
- Kusagadzikana kweCVE-2023-22490 kunobvumira munhu anorwisa anodzora zviri mukati meiyo cloned repository kuti awane mukana we data rakadzama pane system yemushandisi. Zvikanganiso zviviri zvinobatsira mukubuda kwekusagadzikana:
Chikanganiso chekutanga chinobvumira, kana uchishanda neyakagadzirirwa repository, kuwana mashandisirwo emunharaunda cloning optimizations kunyangwe uchishandisa chekufambisa chinopindirana nekunze masisitimu.
Chikanganiso chechipiri chinobvumira kuiswa kwechiratidzo chekubatanidza panzvimbo ye $ GIT_DIR/zvinhu dhairekitori, yakafanana neiyo vulnerability CVE-2022-39253, iyo gadziriso yakavharira kuiswa kwechiratidzo chekubatanidza mu $GIT_DIR/zvinhu dhairekitori, asi haina. tarisa chokwadi chekuti $GIT_DIR/zvinhu dhairekitori pachayo inogona kunge iri yekufananidzira link.
Mune yemuno cloning modhi, git inoendesa $GIT_DIR/zvinhu kune yakanangwa dhairekitori nekudzikisira symlinks, izvo zvinoita kuti mafaera anonongedzwa zvakananga kukopwa kune chinangwa dhairekitori. Kuchinja kushandisa magadzirirwo ekugadzirisa emunharaunda kune zvisiri zvenzvimbo inobvumira kushandiswa kwekusagadzikana kana uchishanda nevekunze repositori (semuenzaniso, kudzokorora kusanganisira ma submodules ane murairo we "git clone -recurse-submodules" zvinogona kutungamira mukuumbwa kwenzvimbo ine hutsinye yakarongedzwa se submodule. mune imwe repository).
- Vulnerability CVE-2023-23946 inobvumira zviri mukati memafaira kunze kwedhairekitori rekushanda kuti zvinyorwe nekupfuudza yakanyatso dhizainirwa ku "git apply" murairo. Semuenzaniso, kurwiswa kunogona kuitwa panguva yekugadziriswa kwezvigamba zvakagadzirirwa neanorwisa mu "git shandisa". Kuvharisa zvigamba kubva pakugadzira mafaera kunze kwekopi inoshanda, "git shandisa" inovhara kugadzirisa kwezvigamba zvinoedza kunyora faira uchishandisa symlinks. Asi zvinozoitika kuti kudzivirira uku kunogona kupfuudzwa nekugadzira chinongedzo chekufananidzira pakutanga.
Source: opennet.ru