Debian Bug report logs -
#1055853
jgit: CVE-2023-4759
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1055853; Package src:jgit.
(Sun, 12 Nov 2023 19:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 12 Nov 2023 19:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jgit
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jgit.
CVE-2023-4759[0]:
| Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit,
| all versions <= 6.6.0.202305301015-r, a symbolic link present in a
| specially crafted git repository can be used to write a file to
| locations outside the working tree when this repository is cloned
| with JGit to a case-insensitive filesystem, or when a checkout from
| a clone of such a repository is performed on a case-insensitive
| filesystem. This can happen on checkout (DirCacheCheckout), merge
| (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using
| merge), and when applying a patch (PatchApplier). This can be
| exploited for remote code execution (RCE), for instance if the file
| written outside the working tree is a git filter that gets executed
| on a subsequent git command. The issue occurs only on case-
| insensitive filesystems, like the default filesystems on Windows and
| macOS. The user performing the clone or checkout must have the
| rights to create symbolic links for the problem to occur, and
| symbolic links must be enabled in the git configuration. Setting
| git configuration option core.symlinks = false before checking out
| avoids the problem. The issue was fixed in Eclipse JGit version
| 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven
| Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and
| repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-
| releases/ . The JGit maintainers would like to thank RyotaK for
| finding and reporting this issue.
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 (v6.6.1.202309021850-r)
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4759
https://www.cve.org/CVERecord?id=CVE-2023-4759
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 12 Nov 2023 19:33:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 13 17:55:31 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon