I don't think Apple has patched this yet (it just came out 3 hours ago). Looks like homebrew got right on it so I installed via that with the following command.
`brew install git`
The latest version in Ventura 13.1 seems to be either 2.24.3 or 2.37.1 (not all my co-workers machines match). I'm not sure if these are defaults, different because some of us have XCode, or if some of us manually installed. In any case, brew install got me up to date.
> [Edit: According to @rlpb's comment, git 2.39.1 is already available on Ubuntu]
Note that I said Ubuntu's git package was updated, but didn't say to what version. Ubuntu like most stable distributions cherry-pick security fixes rather than bump major versions, so Ubuntu users will get a version with these vulnerabilities patched but not necessarily a bump up to 2.39.1. See https://ubuntu.com/security/notices/USN-5810-1 for details.
I'm not sure why they aren't bumping the patch number, maybe they decided against applying the other parts of the patch for least change - but at least the CVEs are mentioned in all of the Ubuntu changelogs.
I can't find anything in the Debian changelogs referring to the CVEs. Yet the Ubuntu changelog refers to it as a debian patch...
What is git doing with the system’s spell checker? This is the first time I’ve read about git using a spell checker. I know that various gui clients do spell checking, but I’m not aware of git itself doing anything related to this.
As the article states, it's a feature of git-gui, not the git CLI.
The vulnerability is Windows-only, so maybe whatever Windows users do to install git always gives them git-gui. But at least for Linux, the distro might package it separately (mine does), so you won't even have it if you didn't install it.
Regarding first vulnerability with gIt format, how can malicious party exploit it? Someone needs to convince you to run git log format with some unusual format specifier, right? And then they need to access some specific memory location this way so they still need to store something malicious elsewhere. Sounds like it would be really extremely hard for anyone to exploit this.
Overall fixing this it looks like routine house keeping and nothing major.
> It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive.
This very practical to exploit on Git forges like GitHub or GitLab which allow their users to download archives of tags or branches.
This sounds like Raymond Chen's "code execution leads to code execution" class of vulnerabilities: if you can trick users into running a malicious script, you have already won.
I don't think macOS comes with git; like, it might actually come with a git binary, but that binary is just a "shim" that runs an actual copy of git from an installed copy of Xcode. If you want to upgrade what is conceptually that copy of git you can thereby upgrade Xcode. (If you haven't installed Xcode then it might have come from a related package called Xcode Command Line Tools that doesn't include Xcode.app; if you run these shims and don't have Xcode installed it offers to install this package for you automatically.)
Likewise; editor tooling is better than Github's. In general, I feel like "git checkout" alone being a potentially unsafe action breaks a lot of people's mental threat models.
Both critical bugs are integer overflows. It's unclear to me why our languages still default to modulo arithmetic semantics. I feel Rust had a chance to fix this, but also dropped the ball.
> Rust had a chance to fix this, but also dropped the ball.
By default, a Rust project will panic on integer overflow in debug builds and will overflow on release builds. Two key points to note, however:
1. You can change the setting so that your project panics in release or overflows in debug mode.
2. We reserved the right to change the default at some point in the future. This will probably be widely communicated before it ever happens, and last I heard we are still waiting for the cost of performing those checks to be "reasonable" before thinking about making such a change.
Furthermore, because integer overflow is defined behavior, the integer overflow is never considered a root cause in Rust. In order for an integer overflow to express as UB in Rust, you'd have to use it in conjunction with an `unsafe` block that was failing to ensure its invariants, and that would be considered the root cause. If you're not using `unsafe`, then an integer overflow is at worst a logic bug.
Just in case people don't know, you can get the same behavior with C or C++ by invoking GCC or Clang with -ftrapv. I don't know about Rust, but for C and C++ -ftrapv will only fault on signed integer overflow, as signed integer overflow is UB in C/C++ but unsigned integer overflow is well defined (it's guaranteed to wrap around to zero on all platforms). So even if you're trapping on integer overflow, there are still plenty of weird things that can happen if you unintentionally overflow an unsigned integer.
> I heard we are still waiting for the cost of performing those checks to be "reasonable" before thinking about making such a change.
What I don't understand is, checking for integer overflow is extremely cheap in hardware, so why is there any cost for performing those checks? What am I missing?
Fascinating. Haven't had a chance to do Rust yet, but I think I would change this so that they were consistent. I do embedded, and that kind of "behaves differently in different places" is the worst kind of bug to figure out.
Our processors also require manually manipulating registers.
The whole point of higher level programming languages is to abstract away the fiddly bits of dealing with processors that we don't want to have to deal with.
error: this arithmetic operation will overflow
--> src/main.rs:2:18
|
2 | let a: u64 = u64::MAX + 1;
| ^^^^^^^^^^^^ attempt to compute `u64::MAX + 1_u64`, which would overflow
|
= note: `#[deny(arithmetic_overflow)]` on by default
Rust also allows for overflowing arithmetic (preserving the default to fail):
As a sibling notes, currently, this is for debug builds. So, if you change that playground to "Release", you'll see it wrap.
(I love this feature, and I wish they had done it in release mode too. The sibling comment has some notes on that, too.)
(But, e.g., were `git` written in Rust, presumably the end product would be a release build. Now, you can enable the check there, but that is something you have to do, today.)
(But also note, that, in all cases, it's well-defined. Vs. C, where some overflows are UB.)
Rust makes integer overflow panic in debug builds, so Rust code is effectively required to opt into overflowing operations for correctness reasons. It disables those checks on release builds for performance reasons, but as sibling comments point out, it reserves the right to change that behavior.
Unfortunately, there is a circular dependency here. Languages are reluctant to make integer overflows error conditions because there is a moderately high overhead to checking overflow conditions constantly, and processors (and compilers) are unwilling to make overflow checks cheaper because they benchmarks they care about don't do such checks.
That sounds like the similar, but opposite case of tail recursion optimization. Some languages/compilers don't do it because devs want stack traces. But allow TCO in and now the code that gets written is quite different than the code that would not do tail calls because TCO doesn't exist.
Also a surprising amount of undefined behavior gets relied on in code. I don't use Rust, but the idea that they could potentially change the future behavior on overflow seems... risky?
I'm wondering if what you are asking for is what Swift does - overflow kills your program, but you can opt into allowing it by using "Overflow Operators" (&+, &- and &*).
This crashes in Swift
var potentialOverflow = Int16.max
potentialOverflow += 1
This does not crash
var potentialOverflow = Int16.max
potentialOverflow &+= 1
As others have mentioned, the default overflow behavior in Rust can be configured to panic. To explicitly wrap around on overflow in every configuration, you can use the newtype wrapper Wrapping, or use the wrapping_add(), wrapping_mul(), etc. methods on the basic integer types. There are also variations such as saturating_op(), checked_op(), and overflowing_op() to detect the overflow and handle it appropriately.
I'm quite paranoid about integer overflows, so in my hobby projects I now have a habit of always using helper functions (which generate an error on overflow) instead of "bare" math operators, and whenever I see a bare math operator without any checks in an open source project (and from what I've seen almost no one checks for overflows) I wonder whether they thought about potential consequences or I'm being too paranoid
Because saturating math is not "more right", just "different wrong". The "right" way of checking an error condition after every integer operation is prohibitively expensive.
From the language side, what I wish for is a sort of NaN for integer operations. I would not want to check for overflow on every operation, but I would want to know after a couple of them if somewhere an overflow had occurred. On the hardware side this could be done with a sticky overflow bit, which some architectures already support.
I think the ball is on the hardware side and in my opinion Rust did the most sensible thing possible with contemporary hardware.
Integer overflow isn't a security issue unless your program's memory safety depends on the correctness of the integer operation. Safe rust doesn't (in any build mode), but C/C++ does.
> Integer overflow isn't a security issue unless your program's memory safety depends on the correctness of the integer operation.
That's simply not true and has wide-reaching horrible effects that can occur. The wrong number of tickets can be purchased from a website, charging for less than were purchased. The DNR order can be put in place instead of SAVE LIFE. There are countless security issues that can occur.
Saying that integer overflow is only an issue for memory safety is really bad and incorrect advice.
Don't see how. Given the hardware Rust is designed to program you have to compromise some or all of efficiency, memory usage and complexity to solve overflow.
Rust can guarantee some things about collections which are not possible in C, so a lot more range checks and overflow checks could be omitted. Together with actually having the saturating/overflowing/checked adds, this makes the whole thing a lot safer and easier to deal with where you need to.
I wonder if using 64-bit integers all over the place would alleviate this a bit. If your integers represent some real quantities (sizes of objects, etc), the sizes have to be unrealistically huge to trigger an overflow. If your integer is a counter, it would take years to increment it in a tight loop to achieve an overflow.
The cost of operating on 64-bit integers is about the same as operating on 32-bit integers on most modern CPUs (except maybe 32-bit cores in MCUs).
Readit News
`brew install git`
The latest version in Ventura 13.1 seems to be either 2.24.3 or 2.37.1 (not all my co-workers machines match). I'm not sure if these are defaults, different because some of us have XCode, or if some of us manually installed. In any case, brew install got me up to date.
reads new git security threat
"brew upgrade"
done!
To install the latest git on Ubuntu:
[Former post included instructions on how to install git from https://launchpad.net/~git-core/+archive/ubuntu/ppa]Note that I said Ubuntu's git package was updated, but didn't say to what version. Ubuntu like most stable distributions cherry-pick security fixes rather than bump major versions, so Ubuntu users will get a version with these vulnerabilities patched but not necessarily a bump up to 2.39.1. See https://ubuntu.com/security/notices/USN-5810-1 for details.
The updater just gave me 1:2.37.2-1ubuntu1.2 (to replace 1:2.37.2-1ubuntu1.1). It said it addresses the two CVEs in question.
So they (Ubuntu or maybe Debian) are taking the approach of patching a slightly older git version.
I can't find anything in the Debian changelogs referring to the CVEs. Yet the Ubuntu changelog refers to it as a debian patch...
Anyone know anything about Debian?
The vulnerability is Windows-only, so maybe whatever Windows users do to install git always gives them git-gui. But at least for Linux, the distro might package it separately (mine does), so you won't even have it if you didn't install it.
Overall fixing this it looks like routine house keeping and nothing major.
> It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive.
This very practical to exploit on Git forges like GitHub or GitLab which allow their users to download archives of tags or branches.
I have upgraded my brew install, but am unsure of what to do with the vulnerable system install.
Deleted Comment
https://github.com/jarred-sumner/git-peek
By default, a Rust project will panic on integer overflow in debug builds and will overflow on release builds. Two key points to note, however:
1. You can change the setting so that your project panics in release or overflows in debug mode.
2. We reserved the right to change the default at some point in the future. This will probably be widely communicated before it ever happens, and last I heard we are still waiting for the cost of performing those checks to be "reasonable" before thinking about making such a change.
What I don't understand is, checking for integer overflow is extremely cheap in hardware, so why is there any cost for performing those checks? What am I missing?
Because that's what processors do? (leaving aside backwards compatibility issues)
The whole point of higher level programming languages is to abstract away the fiddly bits of dealing with processors that we don't want to have to deal with.
This is one of those cases.
https://doc.rust-lang.org/std/?search=overflowing
It's generally less ergonomic, e.g.
The correct answer is what shepmaster said in a sibling comment.
Here's a link to the runtime variant: https://play.rust-lang.org/?version=stable&mode=debug&editio...
As a sibling notes, currently, this is for debug builds. So, if you change that playground to "Release", you'll see it wrap.
(I love this feature, and I wish they had done it in release mode too. The sibling comment has some notes on that, too.)
(But, e.g., were `git` written in Rust, presumably the end product would be a release build. Now, you can enable the check there, but that is something you have to do, today.)
(But also note, that, in all cases, it's well-defined. Vs. C, where some overflows are UB.)
Unfortunately, there is a circular dependency here. Languages are reluctant to make integer overflows error conditions because there is a moderately high overhead to checking overflow conditions constantly, and processors (and compilers) are unwilling to make overflow checks cheaper because they benchmarks they care about don't do such checks.
Also a surprising amount of undefined behavior gets relied on in code. I don't use Rust, but the idea that they could potentially change the future behavior on overflow seems... risky?
This crashes in Swift
This does not crash [1] https://docs.swift.org/swift-book/LanguageGuide/AdvancedOper...I think it makes a lot of sense to think about. Ultimately, it matters more in some applications than in others.
From the language side, what I wish for is a sort of NaN for integer operations. I would not want to check for overflow on every operation, but I would want to know after a couple of them if somewhere an overflow had occurred. On the hardware side this could be done with a sticky overflow bit, which some architectures already support.
I think the ball is on the hardware side and in my opinion Rust did the most sensible thing possible with contemporary hardware.
That's simply not true and has wide-reaching horrible effects that can occur. The wrong number of tickets can be purchased from a website, charging for less than were purchased. The DNR order can be put in place instead of SAVE LIFE. There are countless security issues that can occur.
Saying that integer overflow is only an issue for memory safety is really bad and incorrect advice.
`UserAccessLevel > Threshold`
Like there could be a million ways an integer becoming small could mess up something.
Also there are business logic issues as well
Deleted Comment
Don't see how. Given the hardware Rust is designed to program you have to compromise some or all of efficiency, memory usage and complexity to solve overflow.
The cost of operating on 64-bit integers is about the same as operating on 32-bit integers on most modern CPUs (except maybe 32-bit cores in MCUs).