Movatterモバイル変換

ホーム

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Git security vulnerabilities announced

Git users are encouraged to upgrade to the latest version, especially if they use `git apply` or `git clone` against untrusted patches or repositories.

Taylor Blau·@ttaylorr

February 14, 2023

|3 minutes

Today, the Git projectreleased new versions to address a pair of security vulnerabilities, (CVE-2023-22490 andCVE-2023-23946) that affect versions 2.39.1 and older. These affect Git’s local clone optimization, as well asgit apply, respectively.

CVE-2023-22490

When cloning a repository, Git selects and uses atransport mechanism appropriate for the URL scheme of your clone. When cloning a local repository, however, Git instead uses a separatelocal clone optimization copying files directly from the source to destination.

A specially-crafted repository can trick Git into using its local clone optimization when using a non-local transport. Git will abort clones from repositories whose$GIT_DIR/objects directory contains a symbolic link. However, the top-level$GIT_DIR/objects directory may itself be a symbolic link.

These two may be combined to include arbitrary files based on known paths from a victim’s filesystem into the clone’s working copy, allowing for data exfiltration in a similar manner asCVE-2022-39253.

[source]

CVE-2023-23946

Git allows for applying arbitrary patches to your repository’s history withgit apply. In order to prevent malicious patches from creating files outside of the working copy,git apply rejects patches which attempt to write a file beyond a symbolic link.

However, this mechanism can be tricked when the malicious patch creates that symbolic link in the first place. This can be leveraged to write arbitrary files on a victim’s filesystem when applying malicious patches from untrusted sources.

[source]

Upgrade to the latest Git version

The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.2. If you can’t update immediately, reduce your risk by taking the following steps:

Avoid runninggit clone with--recurse-submodules against untrusted repositories.
Avoid runninggit apply /git am on input from untrusted sources.

If submodules are required by your workflow, you can clone each layer of submodules iteratively after inspecting each.gitmodules file to ensure that it does not contain suspicious module URLs.

If you are unsure about whether or not it is safe to apply a patch, you can inspect its contents withgit apply --stat. Avoid applying patches that create a symbolic link and a file beyond that link.

In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we:

Implemented mitigation steps to prevent GitHub.com from being used as an attack vector inCVE-2023-22490 andCVE-2023-23946.
Scheduled a GitHub Desktop release for later today, February 14, that prevents the exploitation of this vulnerability.
Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git.
Scheduled updates to GitHub Enterprise Server with patched versions of Git.

Credit forCVE-2023-22490 goes to yvvdwf, and credit forCVE-2023-23946 goes to Joern Schneeweisz of GitLab. Fixes were contributed by Taylor Blau of GitHub and Patrick Steinhardt of GitLab, respectively, with additional feedback and review from members of the git-security list.

Download Git 2.39.2

Written by

Taylor Blau

@ttaylorr

Taylor Blau is a Staff Software Engineer at GitHub where he works on Git.

More onGit

Highlights from Git 2.50

The open source Git project just released Git 2.50. Here is GitHub’s look at some of the most interesting features and changes introduced since last time.

Taylor Blau