The code shack gave a hattip to 俞晨东 for finding the bug and Johannes Schindelin for working on a fix. git folder themselves and remove read/write access as workaround or "define or extend 'GIT_CEILING_DIRECTORIES' to cover the parent directory of the user profile," according to NIST. To deal with the issue, the Git team recommends an update. These need to be multi-user machines, likely running Windows (probably due to how the file system of the OS works.) Ultimately, it is an arbitrary code issue, if one that requires access to the disk to implement. Not nice, but also very specific in terms of affected systems. The Git team was little blunter about the vulnerability, and warned that "Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user." While this CVE-2022-24765 vulnerability is enough to issue updates to all supported versions in maintenance mode, the issue is likely due to only affect Microsoft Windows due to its file-system hierarchy / folder permissions.
0 Comments
Leave a Reply. |