Readit News logoReadit News
joernchen commented on Git security vulnerabilities announced   github.blog/2023-01-17-gi... · Posted by u/ttaylorr
ffjffsfr · 3 years ago
Regarding first vulnerability with gIt format, how can malicious party exploit it? Someone needs to convince you to run git log format with some unusual format specifier, right? And then they need to access some specific memory location this way so they still need to store something malicious elsewhere. Sounds like it would be really extremely hard for anyone to exploit this.

Overall fixing this it looks like routine house keeping and nothing major.

joernchen · 3 years ago
As stated in the advisory:

> It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive.

This very practical to exploit on Git forges like GitHub or GitLab which allow their users to download archives of tags or branches.

joernchen commented on MySQL madness and Rails   phenoelit.org/blog/archiv... · Posted by u/nperson
Gigablah · 13 years ago
Am I missing something?

SELECT * FROM user WHERE "string" = 0;

will indeed match all users, but

SELECT * FROM user WHERE token = 0;

will not. (Presuming the token is stored in a table column)

joernchen · 13 years ago
Rails will do the following:

User.find_by_reset_password_token(0)

  User Load (0.8ms)  SELECT `users`.* FROM `users` WHERE `users`.`reset_password_token` = 0 LIMIT 1

 => #<User id: 1,[...]
hope that illustrates it

joernchen commented on Security Announcement for Devise (Rails authentication solution)   blog.plataformatec.com.br... · Posted by u/Argorak
tptacek · 13 years ago
This issue has nothing to do with either the "SQL injection" bug from a few weeks back (which wasn't SQL injection so much as a very limited form of code injection) or the remote code execution bug. It's (I believe) a MySQL type coercion bug.

If this is the bug I think it is (from following joernchen), it has a lot more to do with the "MySQL is terrible" post from a few days back than it does with Rails/Devise.

The recent remote code execution bug was so bad that I think it is in fact legit to worry about how many people had been running around with it months or years before disclosure.

joernchen · 13 years ago
This very much is true. I'll put some details up soon.
j

u/joernchen

KarmaCake day17January 28, 2013View Original