git-2.39.1-1.el8

エラータID: AXSA:2023-5936:07

Release date: 
Thursday, June 8, 2023 - 13:07
Subject: 
git-2.39.1-1.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

* git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree (CVE-2022-24765)
* git: Bypass of safe.directory protections (CVE-2022-29187)
* git: exposure of sensitive information to a malicious actor (CVE-2022-39253)
* git: git shell function that splits command arguments can lead to arbitrary heap writes. (CVE-2022-39260)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.8 Release Notes linked from the References section.

CVE-2022-24765
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.
CVE-2022-29187
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
CVE-2022-39253
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
CVE-2022-39260
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. git-2.39.1-1.el8.src.rpm
    MD5: 5a4a3aaed962b8b5f733d3a7ab65e515
    SHA-256: 4199cc922cc118c5b64749acc0d3f4cc638ee4ff904c6b78cb18a3ac98d118e2
    Size: 6.92 MB

Asianux Server 8 for x86_64
  1. git-2.39.1-1.el8.x86_64.rpm
    MD5: 8a06942f8c6cdfee0521538161df5c71
    SHA-256: 3ec9cc07e1ea985858ad82d99c3a8cba7de2012aeb3f1beac2b7abe4a16bd1be
    Size: 102.59 kB
  2. git-all-2.39.1-1.el8.noarch.rpm
    MD5: ab0e865b01e2c235db2ae58ef473933f
    SHA-256: cf0ea5fef9d61b7deabb2b7fdbbb0ef17fe5c0c3f785e83a467679dff2036bbb
    Size: 47.59 kB
  3. git-core-2.39.1-1.el8.x86_64.rpm
    MD5: c31e496983913894e2670fbcbe878ee5
    SHA-256: 960af5ee2d6b9b3193c59236b5b1940280da46cb41844874356657bc2ce3d533
    Size: 10.42 MB
  4. git-core-doc-2.39.1-1.el8.noarch.rpm
    MD5: 93ff433fd3526fc311e7128b8c99d532
    SHA-256: 684aad26b846f1d9e8622a31e110d59f8742e0d8f1835622552ef996c8df12ce
    Size: 2.98 MB
  5. git-credential-libsecret-2.39.1-1.el8.x86_64.rpm
    MD5: 1f8063022ed36fb604af34f59869a9c7
    SHA-256: 0c67ec3e919e1af3430adcb0af55100d136825519c8a6802c69efa87d287489a
    Size: 54.11 kB
  6. git-daemon-2.39.1-1.el8.x86_64.rpm
    MD5: d9dd44e46d35f5ac20abba2ac92eae29
    SHA-256: 323365be4d53de2622b2acca6fa1c80d9add6b52d27014e3dcea8beb88ae2807
    Size: 1.01 MB
  7. git-email-2.39.1-1.el8.noarch.rpm
    MD5: 69d41d9a0971ef40a16def54cf5b021e
    SHA-256: cbc5bacb23c63fe20cd25fa3963b19761f79e123ca43dc54e54e808353907aa8
    Size: 91.94 kB
  8. git-gui-2.39.1-1.el8.noarch.rpm
    MD5: d158ae606c50df1be00eeed8ad3fa589
    SHA-256: 68a4611252cd907fe23d572e379d918bd556c37b6fbd8a5ac9b25fb83d52ca6d
    Size: 305.75 kB
  9. git-instaweb-2.39.1-1.el8.noarch.rpm
    MD5: 69a10f5af9b2485205391eebd371efb2
    SHA-256: b37d0d00abe74e8324d729bf9cbe27077fe16b86bf8e4b3afa607eb7d34a7189
    Size: 62.53 kB
  10. gitk-2.39.1-1.el8.noarch.rpm
    MD5: a46fe37ee33d16ef42302294cfeb66ce
    SHA-256: 1ff736da1b99d91e8c95b0b8ae1cc6c1576272d80a92fdf47d4224742d53c2c2
    Size: 208.17 kB
  11. git-subtree-2.39.1-1.el8.x86_64.rpm
    MD5: f10d37063331c5f412d18ed5080d75f9
    SHA-256: afa89848ff2956388e46acfce19567981a0763a4c13435709690fe411fc17f44
    Size: 72.23 kB
  12. git-svn-2.39.1-1.el8.noarch.rpm
    MD5: 4fda4d70a1ba83ab761c98e100191e3a
    SHA-256: 64b7c2d569c8f40c31e0455e7caf227d2bf7e355c200ca3fd7ba7508b5b303d9
    Size: 110.05 kB
  13. gitweb-2.39.1-1.el8.noarch.rpm
    MD5: e5e651b746c625ea5d017872004118bd
    SHA-256: 6a29f5384bbd0bcf91acfdede568243d123d86b3641af0df292bf3cefa4aa3ec
    Size: 189.25 kB
  14. perl-Git-2.39.1-1.el8.noarch.rpm
    MD5: 3ffbaf02584811e5f60665ecf37b2e1b
    SHA-256: 88fef7b055147947e29ae7e6f47c1e36b4a2119a7829255a1acefa14dc723549
    Size: 77.40 kB
  15. perl-Git-SVN-2.39.1-1.el8.noarch.rpm
    MD5: 616bba913ab336f7894a21580a25e265
    SHA-256: 77fa449463c5d227f704a3440925867b24f61c68eae8dbc53b5d847e3c191f79
    Size: 94.12 kB