|
|
|
|
|
|
by Arnavion
1251 days ago
|
|
|
Don't understand what you mean by "incoming commits". git-gui shows you a textbox for the commit message, and error squiggles for misspelled words (presumably; I CBA to install a spell checker). The bug is that it spawns the spellcheck binary using Tcl's API, which on Windows also looks up binaries in the current directory regardless of whether the current directory is in $PATH or not. Edit: Maybe you're referring to the existing commits in the repo that you just cloned? If so, those are irrelevant. git-gui is a GUI for composing commits. The commit message being spell-checked is the one that you would write in order to create a new commit. |
|
|
> After cloning a repository, Git GUI automatically applies some post-processing to the resulting checkout, including running a spell-checker, if one is available.
> A Windows-specific vulnerability causes Git GUI to look for the spell-check in the worktree that was just checked out, which may result in running untrusted code.
I get what you're saying that just in general, there's an issue that you could put a file that matches the name for the spellchecker command in the repo and thereby have git-gui run your payload when the spellchecker should run.
But the article says this is "post-processing" to a checkout. That's what doesn't make sense to me, but the CVE itself says the same thing, that aspell is getting run immediately after a clone. What's the point of doing that?