From: <rsbecker@nexbridge.com>
To: "'Junio C Hamano'" <gitster@pobox.com>, <git@vger.kernel.org>
Cc: "'Linux Kernel'" <linux-kernel@vger.kernel.org>,
<git-packagers@googlegroups.com>,
<oss-security@lists.openwall.com>,
<git-security@googlegroups.com>
Subject: RE: [Announce] Git 2.39.2 and friends
Date: Tue, 14 Feb 2023 13:42:52 -0500 [thread overview]
Message-ID: <004a01d940a4$289e56a0$79db03e0$@nexbridge.com> (raw)
In-Reply-To: <xmqqr0us5dio.fsf@gitster.g>
On February 14, 2023 1:05 PM, Junio C Hamano wrote:
>A maintenance release Git v2.39.2, together with releases for older
maintenance
>tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6,
v2.31.7, and
>v2.30.8, are now available at the usual places.
>
>These maintenance releases are to address two security issues identified as
CVE-
>2023-22490 and CVE-2023-23946. They both affect ranges of existing
versions and
>users are strongly encouraged to upgrade.
>
>The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
>The following public repositories all have a copy of the 'v2.39.2'
>tag, as well as the tags for older maintenance tracks listed above.
>
> url = https://git.kernel.org/pub/scm/git/git
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = git://repo.or.cz/alt-git.git
> url = https://github.com/gitster/git
>
>The addressed issues are:
>
> * CVE-2023-22490:
>
> Using a specially-crafted repository, Git can be tricked into using
> its local clone optimization even when using a non-local transport.
> Though Git will abort local clones whose source $GIT_DIR/objects
> directory contains symbolic links (c.f., CVE-2022-39253), the objects
> directory itself may still be a symbolic link.
>
> These two may be combined to include arbitrary files based on known
> paths on the victim's filesystem within the malicious repository's
> working copy, allowing for data exfiltration in a similar manner as
> CVE-2022-39253.
>
> * CVE-2023-23946:
>
> By feeding a crafted input to "git apply", a path outside the
> working tree can be overwritten as the user who is running "git
> apply".
>
>Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed
by
>Taylor Blau, with additional help from others on the Git security mailing
list.
>
>Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix
was
>developed by Patrick Steinhardt.
>
>Johannes Schindelin helped greatly in packaging the whole thing and
proofreading
>the result.
NonStop build/test/package cycle has started for 2.39.2. If anyone needs one
of the friends built for this platform, please let me know.
--Randall
prev parent reply other threads:[~2023-02-14 18:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-14 18:05 [Announce] Git 2.39.2 and friends Junio C Hamano
2023-02-14 18:42 ` rsbecker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='004a01d940a4$289e56a0$79db03e0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=git-packagers@googlegroups.com \
--cc=git-security@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oss-security@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.