From: <rsbecker@nexbridge.com>
To: "'Junio C Hamano'" <gitster@pobox.com>, <git@vger.kernel.org>
Cc: "'Linux Kernel'" <linux-kernel@vger.kernel.org>,
<git-packagers@googlegroups.com>,
<oss-security@lists.openwall.com>,
<git-security@googlegroups.com>
Subject: RE: [Announce] Git 2.39.2 and friends
Date: Tue, 14 Feb 2023 13:42:52 -0500 [thread overview]
Message-ID: <004a01d940a4$289e56a0$79db03e0$@nexbridge.com> (raw)
In-Reply-To: <xmqqr0us5dio.fsf@gitster.g>
On February 14, 2023 1:05 PM, Junio C Hamano wrote:
>A maintenance release Git v2.39.2, together with releases for older
maintenance
>tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6,
v2.31.7, and
>v2.30.8, are now available at the usual places.
>
>These maintenance releases are to address two security issues identified as
CVE-
>2023-22490 and CVE-2023-23946. They both affect ranges of existing
versions and
>users are strongly encouraged to upgrade.
>
>The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
>The following public repositories all have a copy of the 'v2.39.2'
>tag, as well as the tags for older maintenance tracks listed above.
>
> url = https://git.kernel.org/pub/scm/git/git
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = git://repo.or.cz/alt-git.git
> url = https://github.com/gitster/git
>
>The addressed issues are:
>
> * CVE-2023-22490:
>
> Using a specially-crafted repository, Git can be tricked into using
> its local clone optimization even when using a non-local transport.
> Though Git will abort local clones whose source $GIT_DIR/objects
> directory contains symbolic links (c.f., CVE-2022-39253), the objects
> directory itself may still be a symbolic link.
>
> These two may be combined to include arbitrary files based on known
> paths on the victim's filesystem within the malicious repository's
> working copy, allowing for data exfiltration in a similar manner as
> CVE-2022-39253.
>
> * CVE-2023-23946:
>
> By feeding a crafted input to "git apply", a path outside the
> working tree can be overwritten as the user who is running "git
> apply".
>
>Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed
by
>Taylor Blau, with additional help from others on the Git security mailing
list.
>
>Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix
was
>developed by Patrick Steinhardt.
>
>Johannes Schindelin helped greatly in packaging the whole thing and
proofreading
>the result.
NonStop build/test/package cycle has started for 2.39.2. If anyone needs one
of the friends built for this platform, please let me know.
--Randall
prev parent reply other threads:[~2023-02-14 18:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-14 18:05 [Announce] Git 2.39.2 and friends Junio C Hamano
2023-02-14 18:42 ` rsbecker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='004a01d940a4$289e56a0$79db03e0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=git-packagers@googlegroups.com \
--cc=git-security@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oss-security@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).