undefined | Better HN

0 pointszerocrates3y ago0 comments

My reason for asking that is that this is the vuln description from the article:

> After cloning a repository, Git GUI automatically applies some post-processing to the resulting checkout, including running a spell-checker, if one is available.

> A Windows-specific vulnerability causes Git GUI to look for the spell-check in the worktree that was just checked out, which may result in running untrusted code.

I get what you're saying that just in general, there's an issue that you could put a file that matches the name for the spellchecker command in the repo and thereby have git-gui run your payload when the spellchecker should run.

But the article says this is "post-processing" to a checkout. That's what doesn't make sense to me, but the CVE itself says the same thing, that aspell is getting run immediately after a clone. What's the point of doing that?

0 comments

1 comments · 1 top-level

Arnavion3y ago

It's phrased badly. I can see that it sounds like it's post-processing the new clone by running spellcheck on all the commits of the cloned branch, but it definitely doesn't do that. I checked the code just to be sure and there's nothing like that in the clone code. (Unless I'm missing something, but as you said I can't fathom why it would need to do that.)

What happens is that, when you use it clone a repo it immediately shows the window for authoring a new commit message, which as I said will invoke the spell-check. That's why you are vulnerable from the moment you use git-gui to clone.

j / k navigate · click thread line to collapse