Help us understand the problem. What is going on with this article?

CVE-2017-1000117 対策のメモ

More than 1 year has passed since last update.

http://blog.recurity-labs.com/2017-08-10/scm-vulns
の対策のメモ

https://github.com/greymd/CVE-2017-1000117
で再現できるレポジトリを作ってる方がいたのでコードを読んでみた

勉強がてら自分でも上記のレポジトリでやってることを真似てみた
https://github.com/bells17/CVE-2017-1000117

ローカルの Mac では brew で git をインストールしていたので
http://tokyo-engineer.com/git-cve-2017-1000117/
で紹介されてる手順と同じような感じで脆弱性を修正したバージョンの git をインストールできた

brew update
brew upgrade git

git のコードの変更は以下のあたりのよう

Github compare
https://github.com/git/git/compare/v2.14.0...v2.14.1

対象の commit
https://github.com/git/git/commit/a4f234bf9bd3fb11fb1608a507783d9412af27a9


脆弱性の影響度がどれくらいなのか気になったので調べてみた

例えば npm だと
https://github.com/npm/npm/issues/6700
で submodule は標準だとインストールされないようになっている

Gem も
http://qiita.com/orange-lion/items/03a699e6764317d6083f

submodules: true

をしないとインストールされないので直接被害受ける可能性は高くない??

bells17
SW Engineer, Kubernetes & IDCF Cloud. Kubernetes/Cloud Native/Golang/Cloudstack/Rancher Github: http://github.com/bells17 Blog: http://medium.com/@bells17
http://medium.com/@bells17
idcf
未来をささえる、Your Innovative Partner
http://www.idcf.jp/cloud/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした