git-2.39.3-1.el9

エラータID: AXSA:2023-5963:09

Release date: 
Friday, June 9, 2023 - 09:52
Subject: 
git-2.39.3-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

* git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (CVE-2023-25652)
* git: arbitrary configuration injection when renaming or deleting a section from a configuration file (CVE-2023-29007)
* git: data exfiltration with maliciously crafted repository (CVE-2023-22490)
* git: git apply: a path outside the working tree can be overwritten with crafted input (CVE-2023-23946)
* git: malicious placement of crafted messages when git was compiled with runtime prefix (CVE-2023-25815)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-22490
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.
CVE-2023-23946
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
CVE-2023-25652
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
CVE-2023-25815
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.
CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.

Solution: 

Update packages.

CVEs: 
CVE-2023-22490
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.
CVE-2023-23946
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
CVE-2023-25652
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
CVE-2023-25815
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.
CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.
Additional Info: 

N/A

Download: 

SRPMS
  1. git-2.39.3-1.el9.src.rpm
    MD5: 925192c88d2f757a0b35cbe065176cec
    SHA-256: c7ceff10a8142659a586f45534400d1016ab37737f9034ed4554fd1032ce8631
    Size: 6.88 MB

Asianux Server 9 for x86_64
  1. git-2.39.3-1.el9.x86_64.rpm
    MD5: 83ffc16eb6585548d9a55020740d4658
    SHA-256: d9ff68510f6b7a765876eabfec8c34a385b18dfd7727954fdcd79b455d7c9e42
    Size: 61.04 kB
  2. git-all-2.39.3-1.el9.noarch.rpm
    MD5: 722b31c5c463509e8db3946de1bb5d87
    SHA-256: a85e77133dc7ccaf27c7ad2289f241468ac593d6d59b6d2118002915da895d90
    Size: 7.50 kB
  3. git-core-2.39.3-1.el9.x86_64.rpm
    MD5: 9f57c40c0f609832fbe3f46d2d07151d
    SHA-256: ea5ae9588262e6e0423d435a3ad9e27bc487326b862d25905a1a2e3749743682
    Size: 4.23 MB
  4. git-core-doc-2.39.3-1.el9.noarch.rpm
    MD5: 2f65910087d8adca6716d544fff53942
    SHA-256: 6f2c4d85bf232a090e76a6cda0d14ed07dd81965ce35b0b111836621b84d6945
    Size: 2.59 MB
  5. git-credential-libsecret-2.39.3-1.el9.x86_64.rpm
    MD5: a81e85c46d50b9103af7d036978a11d7
    SHA-256: 67915e2843370c415b05aa1d2582bac9389199e5b8ca95684a4f3c598a9eda5e
    Size: 13.77 kB
  6. git-daemon-2.39.3-1.el9.x86_64.rpm
    MD5: 048b3feca67fc402046cda281b458c90
    SHA-256: 7e687e3922d5329704e7f0eca11885a80c7e249909075748785fc7ca4887304b
    Size: 315.01 kB
  7. git-email-2.39.3-1.el9.noarch.rpm
    MD5: 0e50fddc3fb82fa8fac0100a01522712
    SHA-256: 7a288f3d6c0d6b179c030a26b2abd3128e1cf8379f6d88a3faa79b1974c29781
    Size: 52.70 kB
  8. git-gui-2.39.3-1.el9.noarch.rpm
    MD5: fe28a3b6d40c73f5e99b09aa443c17d6
    SHA-256: 9d7b6b690f75bb6565ee1cd1f535227ba0764bcab755df3aeb33ea72e0f34755
    Size: 242.37 kB
  9. git-instaweb-2.39.3-1.el9.noarch.rpm
    MD5: 1ea414c208ce6511d24629f534e07c8e
    SHA-256: 49ddfcbb8ed96d21d1872aad45b2e6fbef480548e9c4a8f867aaf2d4368aad41
    Size: 24.90 kB
  10. gitk-2.39.3-1.el9.noarch.rpm
    MD5: 100b2bcbdeaf20c1246440423e006e56
    SHA-256: 708e3780139dd54db42307f4d326d84c3fc58dabdd1882a4b2439b5d702d27d2
    Size: 156.66 kB
  11. git-subtree-2.39.3-1.el9.x86_64.rpm
    MD5: b844e88c627916b9b3df47ccfbd1a4d7
    SHA-256: 1d80958e3a5890d430c7fcd4da7ffbbfa05c827f535bb6559931b83ebbc7846d
    Size: 34.01 kB
  12. git-svn-2.39.3-1.el9.noarch.rpm
    MD5: 496d577b5ccf8742043834eaa3cfab71
    SHA-256: 8005051a962eee738ff648f283ffe86d66ea6b4224eaaaeec773626866b8c977
    Size: 69.26 kB
  13. gitweb-2.39.3-1.el9.noarch.rpm
    MD5: db5059fd1909506e8751f8e71dca2aec
    SHA-256: 60ff00425837be659bc1309d3ea72ada9164347744b3b51662310d3c11285505
    Size: 142.89 kB
  14. perl-Git-2.39.3-1.el9.noarch.rpm
    MD5: 3d3c5cf7211af4fa2a23798aad287de6
    SHA-256: 4b132de025f7ed13e59337417d46fd4b85cb4d3ebe9410327c869b3cdb4b706b
    Size: 37.08 kB
  15. perl-Git-SVN-2.39.3-1.el9.noarch.rpm
    MD5: 6b12731ab4822e7c75733a702358ce17
    SHA-256: dcc24a113962985ba8ae98726f19ceeb02613021dbbda9e156d820704b2948ed
    Size: 51.68 kB