Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905088 (CVE-2023-25652, CVE-2023-25815, CVE-2023-29007)

Summary: <dev-vcs/git-{2.39.3, 2.40.1}: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 905696    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-04-25 22:51:17 UTC
https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/

"""
The addressed issues are:

 * CVE-2023-25652:

   By feeding specially crafted input to `git apply --reject`, a
   path outside the working tree can be overwritten with partially
   controlled contents (corresponding to the rejected hunk(s) from
   the given patch).

 * CVE-2023-25815:

   When Git is compiled with runtime prefix support and runs without
   translated messages, it still used the gettext machinery to
   display messages, which subsequently potentially looked for
   translated messages in unexpected places. This allowed for
   malicious placement of crafted messages.

 * CVE-2023-29007:

   When renaming or deleting a section from a configuration file,
   certain malicious configuration values may be misinterpreted as
   the beginning of a new configuration section, leading to arbitrary
   configuration injection.
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-04-25 23:17:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94633b2602d86b4d77e1dc2a148437f725cf0d55

commit 94633b2602d86b4d77e1dc2a148437f725cf0d55
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-25 23:16:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-25 23:16:58 +0000

    dev-vcs/git: add 2.40.1
    
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   3 +
 dev-vcs/git/git-2.40.1.ebuild | 644 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 647 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77a5f5ca9c11790bb0989385f30d9dff6edc7c82

commit 77a5f5ca9c11790bb0989385f30d9dff6edc7c82
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-25 22:59:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-25 22:59:51 +0000

    dev-vcs/git: add 2.39.3
    
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   3 +
 dev-vcs/git/git-2.39.3.ebuild | 644 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 647 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-29 09:39:27 UTC
Ping. Any reason we are still keeping git-2.39.2-r1 around?
Comment 3 Larry the Git Cow gentoo-dev 2023-11-01 21:05:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e772875e51b9a7085f89783bfbd7452272c95550

commit e772875e51b9a7085f89783bfbd7452272c95550
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2023-11-01 21:05:17 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2023-11-01 21:05:17 +0000

    dev-vcs/git: cleanup git-2.39.2-r1
    
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=905088

 dev-vcs/git/Manifest             |   3 -
 dev-vcs/git/git-2.39.2-r1.ebuild | 645 ---------------------------------------
 2 files changed, 648 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2023-12-27 07:49:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91

commit 2c2ec5453e20060d4ec1717825d2874f0e663f91
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-27 07:49:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-27 07:49:42 +0000

    [ GLSA 202312-15 ] Git: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/877565
    Bug: https://bugs.gentoo.org/891221
    Bug: https://bugs.gentoo.org/894472
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)