CVE-2022-3178 Buffer Over-read in GitHub repository gpac/gpac prior to 2.1.0-DEV.

We are not sure how many users are affected by this issue, but we wanted to make sure that all of you are aware of it so that you can keep an eye on it and make sure to update your code as soon as possible. What’s the deal? You might be asking yourself. Well, the issue is that GitHub repositories are served over http (not https) by default. Therefore, if a user has the repo checked “public”, anyone with a valid http/https server certificate can access the code and make changes. Our recommendation is to make sure to use https whenever possible. What’s the solution? We are working on an update that will automatically disable public access to GitHub repos. We will update the documentation to let you know when this feature is enabled.

FAQs

Q: What is GitHub?
A: GitHub is a collaborative source code hosting service that provides free repositories.
Q: Why are GitHub repositories served over http rather than https?
A: GitHub repos aren’t served over https because they are hosted on GitHub, not the user’s own server.

What you need to do to protect yourself from this vulnerability

If you have a GitHub repository that is publicly available and you have not found an answer to the question of how to protect yourself from the vulnerability, our recommendation is to make sure to use https whenever possible.

How to update your code to prevent this issue

The easiest way to update your code is to check the “private” checkbox on the repository. This will make it so that only those with valid credentials can view the code and will also notify you if changes are made. If you have a private repository, make sure that you keep it protected by configuring HTTPS for your repo. The last thing you want is for someone to access your code and make unauthorized changes!

Timeline

Published on: 09/12/2022 17:15:00 UTC
Last modified on: 09/15/2022 04:11:00 UTC

References