Kururamisa kuburitswa kweiyo yakagoverwa sosi control system Git 2.38.1, 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 uye 2.37.4 zvakaburitswa, izvo zvinogadzirisa kutadza kuviri, kunoonekwa kana uchishandisa "git clone" kuraira mu "-recurse-submodules" modhi ine isina kuvharirwa repositori uye kana uchishandisa "git shell" inopindirana modhi. Unogona kuteedzera kuburitswa kwepakeji zvigadziriso mukugovera pamapeji eDebian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD.
- CVE-2022-39253 - Kusagadzikana kunobvumira munhu anorwisa anodzora zviri mukati meiyo cloned repository kuti awane ruzivo rwechakavanzika pane sisitimu yemushandisi nekuisa zvinongedzo zvinongedzo kumafaira ekufarira mu $GIT_DIR/zvinhu dhairekitori reiyo cloned repository. Dambudziko rinongoonekwa kana uchigadzira munharaunda (mune "--yenzvimbo" modhi, inoshandiswa kana chinangwa uye sosi data reiyo clone iri muchikamu chimwe chete) kana kana uchigadzira yakashata repository yakarongedzwa se submodule mune imwe repository (semuenzaniso, kana uchidzokorodza kusanganisira ma submodules ane "git clone" command --recurse-submodules").
Kusagadzikana kunokonzerwa nenyaya yekuti mu "--yemunharaunda" cloning mode, git inotamisa zvirimo zve $GIT_DIR/zvinhu kune inotangwa dhairekitori (kugadzira zvakaoma zvinongedzo kana makopi emafaira), kuita dereference yezviratidzo zvinongedzo (kureva, se mhedzisiro, zvisungo zvisiri zvechiratidzo zvinoteedzerwa kune inotarirwa dhairekitori , asi zvakananga mafaera ayo anonongedza zvinongedzo). Kuvhara kusazvibata, kuburitswa kutsva kwegit kunorambidza kuumbwa kwemarepositori mu "--yenzvimbo" modhi ine zvinongedzo zvinongedzo mu $GIT_DIR/zvinhu dhairekitori. Pamusoro pezvo, kukosha kweiyo protocol.file.allow parameter yakashandurwa kuita "mushandisi", izvo zvinoita kuti cloning mashandiro uchishandisa faira: // protocol kusachengetedzeka.
- CVE-2022-39260 - Integer kufashukira mune split_cmdline () basa rinoshandiswa mu "git shell" murairo. Dambudziko rinogona kushandiswa kurwisa vashandisi vane "git shell" segomba ravo rekupinda uye vane inopindirana modhi inogoneswa (a $ HOME/git-shell-commands faira ragadzirwa). Kushandiswa kwekusagadzikana kunogona kutungamira mukuitwa kwekodhi kodhi pane sisitimu kana uchitumira yakanyatsogadzirirwa kuraira yakakura kupfuura 2 GB muhukuru.
Source: opennet.ru