https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/ """ The addressed issues are: * CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). * CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages. * CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94633b2602d86b4d77e1dc2a148437f725cf0d55 commit 94633b2602d86b4d77e1dc2a148437f725cf0d55 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-25 23:16:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-25 23:16:58 +0000 dev-vcs/git: add 2.40.1 Bug: https://bugs.gentoo.org/905088 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.40.1.ebuild | 644 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 647 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77a5f5ca9c11790bb0989385f30d9dff6edc7c82 commit 77a5f5ca9c11790bb0989385f30d9dff6edc7c82 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-25 22:59:51 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-25 22:59:51 +0000 dev-vcs/git: add 2.39.3 Bug: https://bugs.gentoo.org/905088 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.39.3.ebuild | 644 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 647 insertions(+)
