[ffjffsfr]

Regarding first vulnerability with gIt format, how can malicious party exploit it? Someone needs to convince you to run git log format with some unusual format specifier, right? And then they need to access some specific memory location this way so they still need to store something malicious elsewhere. Sounds like it would be really extremely hard for anyone to exploit this.

Overall fixing this it looks like routine house keeping and nothing major.

[joernchen]

As stated in the advisory:

> It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive.

This very practical to exploit on Git forges like GitHub or GitLab which allow their users to download archives of tags or branches.

[gwbas1c]

You could bury it in a script, or in one of the many "copy and paste this command into your terminal" blurbs that we see all over the place.

[csande17]

This sounds like Raymond Chen's "code execution leads to code execution" class of vulnerabilities: if you can trick users into running a malicious script, you have already won.

[Karellen]

If you can trick a user to run any arbitrary script blindly, sure, you've already won.

The hard part is tricking a user into running a script that they can inspect, and looks even on close inspection to be non-arbitrary and quite constrained in what it might do.

There's a world of difference between being gullible enough to run `curl $DODGY_URL | bash`, and thinking "what could possibly go wrong" when being asked to check the output of `git log --format="$WEIRD_FORMAT"`. Even if you check that $WEIRD_FORMAT doesn't escape shell quoting and pull a Bobby Tables, or run a `` or $() subshell, or do anything except pass a weird looking format string, there's no way to tell that there's a genuine bug in the `git log` formatting code that allows a specially-crafted format specifier to do ACE.

[japanman425]

Pretty narrow vector. Could identify low level employee in another team to run it to exfiltrate info in a high secure env maybe.