Corrective releases of distributed source control system Git 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7 and 2.30.8 have been published, in which two vulnerabilities are eliminated , affecting local clone optimizations and the "git apply" command. You can follow the release of package updates in distributions on the Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD pages. If it is not possible to install an update, as a workaround, it is recommended to avoid running "git clone" with the "--recurse-submodules" option on untrusted repositories, and not to use the "git apply" and "git am" commands with an untrusted code.
- Vulnerability CVE-2023-22490 allows an attacker who controls the contents of a cloned repository to gain access to confidential data on a user's system. Two flaws contribute to the emergence of the vulnerability:
The first flaw allows, when working with a specially designed repository, to achieve the use of local cloning optimizations even when using a transport that interacts with external systems.
The second flaw allows placing a symbolic link instead of the $GIT_DIR/objects directory, similar to the vulnerability CVE-2022-39253, in the fix of which the placement of symbolic links in the $GIT_DIR/objects directory was blocked, but the fact that the $GIT_DIR/objects directory itself was not checked may be a symbolic link.
In local clone mode, git moves $GIT_DIR/objects to the target directory by dereferencing symlinks, which causes the referenced files to be copied directly to the target directory. Switching to use local cloning optimizations for non-local transport allows exploitation of a vulnerability when working with external repositories (for example, recursively including submodules with the command "git clone --recurse-submodules" can lead to cloning of a malicious repository packaged as a submodule in another repository).
- Vulnerability CVE-2023-23946 allows overwriting the contents of files outside the working directory by passing specially formatted input to the "git apply" command. For example, an attack can be made when patches prepared by an attacker are processed in βgit applyβ. To block patches from creating files outside the working copy, "git apply" blocks processing of patches that attempt to write a file using symbolic links. But this protection turned out to be bypassed by creating a symbolic link in the first place.
Source: opennet.ru