Git security vulnerabilities announced

I don&#x27;t think Apple has patched this yet (it just came out 3 hours ago). Looks like homebrew got right on it so I installed via that with the following command.<p>`brew install git`<p>The latest version in Ventura 13.1 seems to be either 2.24.3 or 2.37.1 (not all my co-workers machines match). I&#x27;m not sure if these are defaults, different because some of us have XCode, or if some of us manually installed. In any case, brew install got me up to date.

<a href="https:&#x2F;&#x2F;x41-dsec.de&#x2F;security&#x2F;research&#x2F;news&#x2F;2023&#x2F;01&#x2F;17&#x2F;git-security-audit-ostif&#x2F;" rel="nofollow">https:&#x2F;&#x2F;x41-dsec.de&#x2F;security&#x2F;research&#x2F;news&#x2F;2023&#x2F;01&#x2F;17&#x2F;git-se...</a>

[Edit: According to @rlpb&#x27;s comment, git 2.39.1 is already available on Ubuntu]<p>To install the latest git on Ubuntu:<p><pre><code> sudo apt upgrade git </code></pre> [Former post included instructions on how to install git from <a href="https:&#x2F;&#x2F;launchpad.net&#x2F;~git-core&#x2F;+archive&#x2F;ubuntu&#x2F;ppa" rel="nofollow">https:&#x2F;&#x2F;launchpad.net&#x2F;~git-core&#x2F;+archive&#x2F;ubuntu&#x2F;ppa</a>]

What is git doing with the system’s spell checker? This is the first time I’ve read about git using a spell checker. I know that various gui clients do spell checking, but I’m not aware of git itself doing anything related to this.

Regarding first vulnerability with gIt format, how can malicious party exploit it? Someone needs to convince you to run git log format with some unusual format specifier, right? And then they need to access some specific memory location this way so they still need to store something malicious elsewhere. Sounds like it would be really extremely hard for anyone to exploit this.<p>Overall fixing this it looks like routine house keeping and nothing major.

What is the recommended upgrade path for macOS&#x27; system install of git?<p>I have upgraded my brew install, but am unsure of what to do with the vulnerable system install.

Sounds terrible, however typically you’re checking out code you’re going to compile and run anyway.

Both critical bugs are integer overflows. It&#x27;s unclear to me why our languages still default to modulo arithmetic semantics. I feel Rust had a chance to fix this, but also dropped the ball.

Original source: <a href="https:&#x2F;&#x2F;lore.kernel.org&#x2F;git&#x2F;xmqq7cxl9h0i.fsf@gitster.g&#x2F;T&#x2F;#u" rel="nofollow">https:&#x2F;&#x2F;lore.kernel.org&#x2F;git&#x2F;xmqq7cxl9h0i.fsf@gitster.g&#x2F;T&#x2F;#u</a>

I guess GitHub and similar providers could scan incoming commits for these in order to shield users who do not upgrade. We all know there will still be millions of those for years to come.

Seems like there are no updates available for Fedora just yet?

I wonder if there&#x27;s anyone left at Twitter to backport security fixes to the custom fork of git they use to support their monorepo.

For those of us who use Homebrew, the patched Git 2.39.1 should be available after this PR is merged:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;Homebrew&#x2F;homebrew-core&#x2F;pull&#x2F;120818">https:&#x2F;&#x2F;github.com&#x2F;Homebrew&#x2F;homebrew-core&#x2F;pull&#x2F;120818</a>

I don&#x27;t know if &quot;announced&quot; is really the word they want to use here. It makes it sound like they&#x27;re unveiling a new feature.