Summary: | <dev-vcs/git-{2.37.6, 2.38.4, 2.39.2}: "git apply" overwriting paths outside the working tree | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 894476 | ||
Bug Blocks: |
Description
Sam James
2023-02-15 01:10:48 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=646c74999f732cd71123110439bec75f6749cd9d commit 646c74999f732cd71123110439bec75f6749cd9d Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 01:26:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 01:29:26 +0000 dev-vcs/git: add 2.39.2 Bug: https://bugs.gentoo.org/894472 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.39.2.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 660 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=467758196211051cc05545f8bce2ec38395781a4 commit 467758196211051cc05545f8bce2ec38395781a4 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 01:20:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 01:29:25 +0000 dev-vcs/git: add 2.38.4 Bug: https://bugs.gentoo.org/894472 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.38.4.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 660 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a194642d4825efb78fc6491066ed1e99712ce39c commit a194642d4825efb78fc6491066ed1e99712ce39c Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 01:14:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 01:29:24 +0000 dev-vcs/git: add 2.37.6 Bug: https://bugs.gentoo.org/894472 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.37.6.ebuild | 647 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 650 insertions(+) And: " * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253." The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91 commit 2c2ec5453e20060d4ec1717825d2874f0e663f91 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-27 07:49:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-27 07:49:42 +0000 [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/877565 Bug: https://bugs.gentoo.org/891221 Bug: https://bugs.gentoo.org/894472 Bug: https://bugs.gentoo.org/905088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) |