See https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh. """ Impact By feeding specially crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. Patches A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. Workarounds Use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. Credits Credit for finding the vulnerability goes to Joern Schneeweisz of GitLab. The patch was authored by Patrick Steinhardt of GitLab. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=646c74999f732cd71123110439bec75f6749cd9d commit 646c74999f732cd71123110439bec75f6749cd9d Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 01:26:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 01:29:26 +0000 dev-vcs/git: add 2.39.2 Bug: https://bugs.gentoo.org/894472 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.39.2.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 660 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=467758196211051cc05545f8bce2ec38395781a4 commit 467758196211051cc05545f8bce2ec38395781a4 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 01:20:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 01:29:25 +0000 dev-vcs/git: add 2.38.4 Bug: https://bugs.gentoo.org/894472 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.38.4.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 660 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a194642d4825efb78fc6491066ed1e99712ce39c commit a194642d4825efb78fc6491066ed1e99712ce39c Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 01:14:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 01:29:24 +0000 dev-vcs/git: add 2.37.6 Bug: https://bugs.gentoo.org/894472 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.37.6.ebuild | 647 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 650 insertions(+)
And: " * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91 commit 2c2ec5453e20060d4ec1717825d2874f0e663f91 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-27 07:49:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-27 07:49:42 +0000 [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/877565 Bug: https://bugs.gentoo.org/891221 Bug: https://bugs.gentoo.org/894472 Bug: https://bugs.gentoo.org/905088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+)
