Corrective releases of Git 2.40.1, 2.39.3, 2.38.5, 2.37.7, 2.36.6, 2.35.8, 2.34.8, 2.33.8, 2.32.7, 2.31.8 and 2.30.9 have been published .XNUMX, which fixed five vulnerabilities. You can follow the release of package updates in distributions on the Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD pages. As a workaround to protect against vulnerabilities, it is recommended to avoid running the "git apply --reject" command when working with untested external patches, and check the contents of $GIT_DIR/config before running the "git submodule deinit", "git config --rename-section" and " git config --remove-section" when dealing with untrusted repositories.
Vulnerability CVE-2023-29007 allows substitution of settings in the $GIT_DIR/config configuration file, which can be used to execute code in the system by specifying paths to executable files in the core.pager, core.editor and core.sshCommand directives. The vulnerability is caused by a logical error due to which very long configuration values ββcan be treated as the beginning of a new section when renaming or deleting a section from a configuration file. In practice, substitution of exploiting values ββcan be achieved by specifying very long submodule URLs that are saved to the $GIT_DIR/config file during initialization. These URLs can be interpreted as new settings when trying to remove them via "git submodule deinit".
Vulnerability CVE-2023-25652 allows overwriting the contents of files outside the working tree when specially crafted patches are processed by the "git apply --reject" command. If you try to execute a malicious patch with the "git apply" command that tries to write to a file through a symbolic link, the operation will be rejected. In Git 2.39.1, symlink manipulation protection has been extended to block patches that create symlinks and attempt to write through them. The essence of the vulnerability under consideration is that Git did not take into account that the user can execute the βgit apply -rejectβ command to write the rejected parts of the patch as files with the β.rejβ extension, and the attacker can use this opportunity to write the contents to an arbitrary directory, as far as the current permissions allow it.
In addition, three vulnerabilities that appear only on the Windows platform have been fixed: CVE-2023-29012 (search for the executable doskey.exe in the working directory of the repository when executing the "Git CMD" command, which allows you to organize the execution of your code on the user's system), CVE-2023 -25815 (buffer overflow while processing custom localization files in gettext) and CVE-2023-29011 (possibility of substituting the connect.exe file when working through SOCKS5).
Source: opennet.ru