Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU3cTctcnhxcS03dmdw
On Windows, `git-sizer` might run a `git` executable within the repository being analyzed
Impact
On Windows, if git-sizer
is run against a non-bare repository, and that repository has an executable called git.exe
, git.bat
, etc., then that executable might be run by git-sizer
rather than the system git
executable. An attacker could try to use social engineering to get a victim to run git-sizer
against a hostile repository and thereby get the victim to run arbitrary code.
On Linux or other Unix-derived platforms, a similar problem could occur if the user's PATH
has the current directory before the path to the standard git
executable, but this is would be a very unusual configuration that has been known for decades to lead to all kinds of security problems.
Patches
Users should update to git-sizer v1.4.0
Workarounds
If you are on Windows, then either
- Don't run
git-sizer
against a repository that might contain hostile code, or, if you must… - Run
git-sizer
against a bare clone of the hostile repository, or, if that is not possible… - Make sure that the hostile repository doesn't have an executable in its top-level directory before running
git-sizer
.
If you are on Linux or other Unix-based system, then (for myriad reasons!) don't add the current directory to your PATH
.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in the
git-sizer
project. - Email us at GitHub support.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU3cTctcnhxcS03dmdw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-57q7-rxqq-7vgp
References:
- https://github.com/github/git-sizer/security/advisories/GHSA-57q7-rxqq-7vgp
- https://github.com/github/git-sizer/commit/38400d6ddd79325e956b00ff584cfcc8dd96d536
- https://github.com/advisories/GHSA-57q7-rxqq-7vgp
Blast Radius: 0.0
Affected Packages
go:github.com/github/git-sizer
Dependent packages: 2Dependent repositories: 3
Downloads:
Affected Version Ranges: <= 1.3.0
Fixed in: 1.4.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0
All unaffected versions: 1.4.0, 1.5.0