=================================================================== CERT-Renater Note d'Information No. 2023/VULN176 _____________________________________________________________________ DATE : 26/04/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, 2.40.1. ====================================================================https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844 https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx _____________________________________________________________________ Arbitrary configuration injection via `git submodule deinit` High ttaylorr published GHSA-v48j-4xgg-4844 Package git (-) Affected versions <= v2.30.8, v2.31.7, v2.32.6, v2.33.7, v2.34.7, v2.35.7, v2.36.5, v2.37.6, v2.38.4, v2.39.2 and v2.40.0 Patched versions >= v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1 Description Impact A bug in the function responsible for renaming or deleting existing configuration sections in-place, git_config_copy_or_rename_section_in_file(), can result in improperly treating configuration values as the beginning of new sections when they are over 1,024 characters long. This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to rename or remove a malicious configuration section. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor, core.sshCommand and so on. This may be exploited with overly-long submodule URLs, which are stored in a user's $GIT_DIR/config upon initialization. Those URLs may be misinterpreted as containing new configuration material when removing those sections, e.g., with git submodule deinit. Patches A fix has been prepared and will appear in v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1. Workarounds Avoid running git submodule deinit, or git config --rename-section or git config --remove-section on untrusted repositories or without prior inspection of your $GIT_DIR/config. Acknowledgements Credit for finding this vulnerability goes to André Baptista and Vítor Pinho of Ethiack. The fix was developed by Taylor Blau, Jeff King, Patrick Steinhardt, and Johannes Schindelin. Severity High 7.0/ 10 CVSS base metrics Attack vector Local Attack complexity High Privileges required None User interaction Required Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE ID CVE-2023-29007 Weaknesses No CWEs Credits @0xacb 0xacb Reporter @vgpinho vgpinho Reporter @ttaylorr ttaylorr Remediation developer @peff peff Remediation reviewer @dscho dscho Remediation reviewer _____________________________________________________________________ "git apply --reject" partially-controlled arbitrary file write Moderate ttaylorr published GHSA-2hvf-7c8p-28fx Package git (-) Affected versions <=2.30.8, .., v2.40.0 Patched versions v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1 Description Impact By feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). Patches A fix has been prepared and will appear in v2.30.9, v2.31.8, v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5, v2.39.3 and v2.40.1. Workarounds Avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists. Severity Moderate CVE ID CVE-2023-25652 Weaknesses No CWEs Credits @Ry0taK Ry0taK ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================