Corrective releases of distributed source control system Git 2.38.1, 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 and 2.37.4 have been published, in which two vulnerabilities are eliminated , manifested when using the "git clone" command in the "--recurse-submodules" mode with unchecked repositories and when using the "git shell" interactive mode of operation. You can follow the release of package updates in distributions on the Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD pages.
- CVE-2022-39253 - The vulnerability allows an attacker who controls the contents of the cloned repository to gain access to confidential data on the user's system by placing symbolic links to files of interest in the $GIT_DIR/objects directory of the cloned repository. The problem only occurs when cloning locally (in the "--local" mode, used when the clone target and source data are in the same partition) or when cloning a malicious repository packaged as a submodule in another repository (for example, when recursively including submodules with the command "git clone --recurse-submodules").
The vulnerability is caused by the fact that in the "--local" clone mode, git transfers the contents of $GIT_DIR/objects to the target directory (creates hard links or copies of files) by dereferencing symbolic links (i.e., as a result, non-symlinks are copied to the target directory , but directly the files pointed to by links). To block the exposure of the vulnerability in new releases of git, cloning of repositories in "--local" mode containing symbolic links in the $GIT_DIR/objects directory is prohibited. In addition, the default value of the protocol.file.allow parameter has been changed to "user", making clone operations using the file:// protocol unsafe.
- CVE-2022-39260 - Integer overflow in split_cmdline() function used in "git shell" command. The problem can be used to attack users who use "git shell" as their login shell and have interactive mode enabled (file $HOME/git-shell-commands created). Exploitation of the vulnerability could lead to the execution of arbitrary code in the system when passing a specially crafted command larger than 2 GB.
Source: opennet.ru