Opened 15 months ago

Closed 15 months ago

Last modified 15 months ago

#17651 closed enhancement (fixed)

git-2.39.2

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version

Two security fixes - CVE-2023-22490 and CVE-2023-23946.

Change History (4)

comment:1 by Douglas R. Reno, 15 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 15 months ago 

Git v2.39.2 Release Notes
=========================

This release merges up the fixes that appear in v2.30.8, v2.31.7,
v2.32.6, v2.33.7, v2.34.7, v2.35.7, v2.36.5, v2.37.6 and v2.38.4
to address the security issues CVE-2023-22490 and CVE-2023-23946;
see the release notes for these versions for details.

Going back to 2.30.8: 

Git v2.30.8 Release Notes
=========================

This release addresses the security issues CVE-2023-22490 and
CVE-2023-23946.


Fixes since v2.30.7
-------------------

 * CVE-2023-22490:

   Using a specially-crafted repository, Git can be tricked into using
   its local clone optimization even when using a non-local transport.
   Though Git will abort local clones whose source $GIT_DIR/objects
   directory contains symbolic links (c.f., CVE-2022-39253), the objects
   directory itself may still be a symbolic link.

   These two may be combined to include arbitrary files based on known
   paths on the victim's filesystem within the malicious repository's
   working copy, allowing for data exfiltration in a similar manner as
   CVE-2022-39253.

 * CVE-2023-23946:

   By feeding a crafted input to "git apply", a path outside the
   working tree can be overwritten as the user who is running "git
   apply".

 * A mismatched type in `attr.c::read_attr_from_index()` which could
   cause Git to errantly reject attributes on Windows and 32-bit Linux
   has been corrected.

Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
developed by Taylor Blau, with additional help from others on the
Git security mailing list.

Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
fix was developed by Patrick Steinhardt.


Johannes Schindelin (1):
      attr: adjust a mismatched data type

Patrick Steinhardt (1):
      apply: fix writing behind newly created symbolic links

Taylor Blau (3):
      t5619: demonstrate clone_local() with ambiguous transport
      clone: delay picking a transport until after get_repo_path()
      dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS

comment:3 by Douglas R. Reno, 15 months ago

Resolution: fixed
Status: assignedclosed

Fixed at be5298b47f96cf3a678ce16bcd5ea95163b76f62

comment:4 by Douglas R. Reno, 15 months ago

Issued SA-11.2-095

Note: See TracTickets for help on using tickets.