https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/ """ The addressed issues are: * CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). * CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages. * CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94633b2602d86b4d77e1dc2a148437f725cf0d55 commit 94633b2602d86b4d77e1dc2a148437f725cf0d55 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-25 23:16:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-25 23:16:58 +0000 dev-vcs/git: add 2.40.1 Bug: https://bugs.gentoo.org/905088 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.40.1.ebuild | 644 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 647 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77a5f5ca9c11790bb0989385f30d9dff6edc7c82 commit 77a5f5ca9c11790bb0989385f30d9dff6edc7c82 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-25 22:59:51 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-25 22:59:51 +0000 dev-vcs/git: add 2.39.3 Bug: https://bugs.gentoo.org/905088 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.39.3.ebuild | 644 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 647 insertions(+)
Ping. Any reason we are still keeping git-2.39.2-r1 around?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e772875e51b9a7085f89783bfbd7452272c95550 commit e772875e51b9a7085f89783bfbd7452272c95550 Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2023-11-01 21:05:17 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2023-11-01 21:05:17 +0000 dev-vcs/git: cleanup git-2.39.2-r1 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Bug: https://bugs.gentoo.org/show_bug.cgi?id=905088 dev-vcs/git/Manifest | 3 - dev-vcs/git/git-2.39.2-r1.ebuild | 645 --------------------------------------- 2 files changed, 648 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91 commit 2c2ec5453e20060d4ec1717825d2874f0e663f91 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-27 07:49:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-27 07:49:42 +0000 [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/877565 Bug: https://bugs.gentoo.org/891221 Bug: https://bugs.gentoo.org/894472 Bug: https://bugs.gentoo.org/905088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+)