===================================================================== CERT-Renater Note d'Information No. 2023/VULN072 _____________________________________________________________________ DATE : 15/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Git versions prior to 2.39.2. ===================================================================== https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh https://github.com/git/git/security/advisories/GHSA-gw92-x3fm-3g3q https://lore.kernel.org/git/xmqqr0us5dio.fsf@gitster.g/T/ _____________________________________________________________________ "git apply" overwriting paths outside the working tree High ttaylorr published GHSA-r87m-v37r-cwfh Package No package listed Affected versions <= v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, v2.30.7 Patched versions >= v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, v2.30.8 Description Impact By feeding specially crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. Patches A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. Workarounds Use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. Credits Credit for finding the vulnerability goes to Joern Schneeweisz of GitLab. The patch was authored by Patrick Steinhardt of GitLab. Severity High CVE ID CVE-2023-23946 Weaknesses No CWEs Credits @joernchen joernchen _____________________________________________________________________ Local clone-based data exfiltration with non-local transports Moderate ttaylorr published GHSA-gw92-x3fm-3g3q Package No package listed Affected versions <= v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, v2.30.7 Patched versions >= v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, v2.30.8 Description Impact Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. Patches A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. Workarounds The most complete workaround is upgrading to the most recent patched version published. If doing so is impractical, then there are a couple of short-term workarounds. Avoid cloning repositories from untrusted sources with --recurse-submodules. Instead, consider cloning repositories without recursively cloning their submodules, and instead run git submodule update at each layer. Before doing so, inspect each new .gitmodules file to ensure that it does not contain suspicious module URLs. Credits Credit for finding the vulnerability goes to yvvdwf. Severity Moderate CVE ID CVE-2023-22490 Weaknesses No CWEs Credits @yvvdwf yvvdwf _____________________________________________________________________ A maintenance release Git v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8, are now available at the usual places. These maintenance releases are to address two security issues identified as CVE-2023-22490 and CVE-2023-23946. They both affect ranges of existing versions and users are strongly encouraged to upgrade. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.39.2' tag, as well as the tags for older maintenance tracks listed above. url = https://git.kernel.org/pub/scm/git/git url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git The addressed issues are: * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. * CVE-2023-23946: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed by Taylor Blau, with additional help from others on the Git security mailing list. Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix was developed by Patrick Steinhardt. Johannes Schindelin helped greatly in packaging the whole thing and proofreading the result. Thanks. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================