Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 894472 (CVE-2023-22490, CVE-2023-23946) - <dev-vcs/git-{2.37.6, 2.38.4, 2.39.2}: "git apply" overwriting paths outside the working tree
Summary: <dev-vcs/git-{2.37.6, 2.38.4, 2.39.2}: "git apply" overwriting paths outside ...
Status: RESOLVED FIXED
Alias: CVE-2023-22490, CVE-2023-23946
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 894476
Blocks:
  Show dependency tree
 
Reported: 2023-02-15 01:10 UTC by Sam James
Modified: 2023-12-27 07:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-15 01:10:48 UTC
See https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh.

"""
Impact

By feeding specially crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply.
Patches

A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8.
Workarounds

Use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
Credits

Credit for finding the vulnerability goes to Joern Schneeweisz of GitLab. The patch was authored by Patrick Steinhardt of GitLab.

"""
Comment 1 Larry the Git Cow gentoo-dev 2023-02-15 01:39:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=646c74999f732cd71123110439bec75f6749cd9d

commit 646c74999f732cd71123110439bec75f6749cd9d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-15 01:26:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-15 01:29:26 +0000

    dev-vcs/git: add 2.39.2
    
    Bug: https://bugs.gentoo.org/894472
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   3 +
 dev-vcs/git/git-2.39.2.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 660 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=467758196211051cc05545f8bce2ec38395781a4

commit 467758196211051cc05545f8bce2ec38395781a4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-15 01:20:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-15 01:29:25 +0000

    dev-vcs/git: add 2.38.4
    
    Bug: https://bugs.gentoo.org/894472
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   3 +
 dev-vcs/git/git-2.38.4.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 660 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a194642d4825efb78fc6491066ed1e99712ce39c

commit a194642d4825efb78fc6491066ed1e99712ce39c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-15 01:14:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-15 01:29:24 +0000

    dev-vcs/git: add 2.37.6
    
    Bug: https://bugs.gentoo.org/894472
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   3 +
 dev-vcs/git/git-2.37.6.ebuild | 647 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 650 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-23 04:19:44 UTC
And:

" * CVE-2023-22490:

   Using a specially-crafted repository, Git can be tricked into using
   its local clone optimization even when using a non-local transport.
   Though Git will abort local clones whose source $GIT_DIR/objects
   directory contains symbolic links (c.f., CVE-2022-39253), the objects
   directory itself may still be a symbolic link.

   These two may be combined to include arbitrary files based on known
   paths on the victim's filesystem within the malicious repository's
   working copy, allowing for data exfiltration in a similar manner as
   CVE-2022-39253."
Comment 3 Larry the Git Cow gentoo-dev 2023-12-27 07:49:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91

commit 2c2ec5453e20060d4ec1717825d2874f0e663f91
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-27 07:49:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-27 07:49:42 +0000

    [ GLSA 202312-15 ] Git: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/877565
    Bug: https://bugs.gentoo.org/891221
    Bug: https://bugs.gentoo.org/894472
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)