Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/github/git-sizer: GHSA-57q7-rxqq-7vgp #424

Closed
GoVulnBot opened this issue Apr 12, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/github/git-sizer: GHSA-57q7-rxqq-7vgp #424

GoVulnBot opened this issue Apr 12, 2022 · 3 comments
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-57q7-rxqq-7vgp, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/github/git-sizer 1.4.0 <= 1.3.0

See doc/triage.md for instructions on how to triage this report.

package: github.com/github/git-sizer
versions:
  - introduced: TODO (earliest fixed "1.4.0", vuln range "<= 1.3.0")
description: |-
    ### Impact
    On Windows, if `git-sizer` is run against a non-bare repository, and that repository has an executable called `git.exe`, `git.bat`, etc., then that executable might be run by `git-sizer` rather than the system `git` executable. An attacker could try to use social engineering to get a victim to run `git-sizer` against a hostile repository and thereby get the victim to run arbitrary code.

    On Linux or other Unix-derived platforms, a similar problem could occur if the user's `PATH` has the current directory before the path to the standard `git` executable, but this is would be a very unusual configuration that has been known for decades to lead to all kinds of security problems.

    ### Patches
    Users should update to git-sizer v1.4.0

    ### Workarounds
    If you are on Windows, then either
    * Don't run `git-sizer` against a repository that might contain hostile code, or, if you must…
    * Run `git-sizer` against a bare clone of the hostile repository, or, if that is not possible…
    * Make sure that the hostile repository doesn't have an executable in its top-level directory before running `git-sizer`.

    If you are on Linux or other Unix-based system, then (for myriad reasons!) don't add the current directory to your `PATH`.

    ### References
    * [Command PATH security in Go](https://blog.golang.org/path-security)

    ### For more information
    If you have any questions or comments about this advisory:
    * Open an issue in [the `git-sizer` project](https://github.com/github/git-sizer).
    * Email us at [GitHub support](mailto:support@github.com).
published: 2022-02-15T01:57:18Z
last_modified: 2022-04-12T22:48:44Z
ghsas:
  - GHSA-57q7-rxqq-7vgp
@neild
Copy link
Contributor

neild commented Jun 15, 2022

Vulnerability in tool.

@neild neild closed this as completed Jun 15, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607218 mentions this issue: data/reports: unexclude 20 reports (16)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (16)
e9d3f29 
  - data/reports/GO-2022-0407.yaml
  - data/reports/GO-2022-0410.yaml
  - data/reports/GO-2022-0413.yaml
  - data/reports/GO-2022-0416.yaml
  - data/reports/GO-2022-0418.yaml
  - data/reports/GO-2022-0424.yaml
  - data/reports/GO-2022-0426.yaml
  - data/reports/GO-2022-0429.yaml
  - data/reports/GO-2022-0440.yaml
  - data/reports/GO-2022-0442.yaml
  - data/reports/GO-2022-0447.yaml
  - data/reports/GO-2022-0448.yaml
  - data/reports/GO-2022-0449.yaml
  - data/reports/GO-2022-0450.yaml
  - data/reports/GO-2022-0451.yaml
  - data/reports/GO-2022-0452.yaml
  - data/reports/GO-2022-0453.yaml
  - data/reports/GO-2022-0454.yaml
  - data/reports/GO-2022-0455.yaml
  - data/reports/GO-2022-0456.yaml

Updates #407
Updates #410
Updates #413
Updates #416
Updates #418
Updates #424
Updates #426
Updates #429
Updates #440
Updates #442
Updates #447
Updates #448
Updates #449
Updates #450
Updates #451
Updates #452
Updates #453
Updates #454
Updates #455
Updates #456

Change-Id: I206c09343a83edd1fd9f1a37410a59391d904c6d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607218
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot