To Whom it May Concern: git Product Development Manager, We are a cybersecurity research team affiliated with NTT in Japan, and are engaged in research related to vulnerability detection, analysis, and modification.
We investigated git (https://github.com/git/git) released as OSS. A known vulnerability and known code were found, so please fix them with a patch. We
hope to prevent cyber-attacks from occurring by working together with Japan's representative, JPCERT/CC (vuls@xxxxxxxxxxxx). How to discover vulnerabilities: We inspected all function codes for OSS software code using patch information and code information (2000-2023) for known vulnerabilities. We would like to inform you of the code information for
which there is a high possibility that a public patch has not been applied with high severity. Vulnerability code information and countermeasures are listed in the attached file ‘git@@git_vulnerability_details.txt’. Please note that in the real world, a vulnerable state may not necessarily be true, as it may become a vulnerable state under certain combinations of conditions in the real world. Additional confirmation details: We are planning to submit a paper on this content between January and March, and we would like to include the source code characteristics in the paper without revealing the OSS name or file name.
Are there any concerns about this? -- Best regards, NTT Social Informatics Laboratories(
https://www.rd.ntt/e/sil/) E-mail:
reika.arakawa@xxxxxxx |
Software nameï¼?git@@git Version tagï¼?v2.43.0 How to fix: Search by CVE number, refer to the commit listed in reference on the NVD/CVE site, and fix it. NVD:https://nvd.nist.gov/vuln/detail/CVE-2009-5155 â? git@@git/compat/regex/regcomp.c [parse_reg_exp] ã?»CVE-2009-5155ï¼?CWE-19_5.0_0 ã?»git.savannah.gnu.org##gnulib_regcomp.c, [parse_reg_exp]