Debian Bug report logs -
#1034835
git: CVE-2023-25652 CVE-2023-25815 CVE-2023-29007
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Apr 2023 18:39:02 UTC
Severity: grave
Tags: security, upstream
Found in version git/1:2.40.0-1
Fixed in version git/1:2.40.1-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Jonathan Nieder <jrnieder@gmail.com>:
Bug#1034835; Package src:git.
(Tue, 25 Apr 2023 18:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Jonathan Nieder <jrnieder@gmail.com>.
(Tue, 25 Apr 2023 18:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: git
Version: 1:2.40.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: fixed -1 1:2.40.1-1
Hi,
The following vulnerabilities were published for git, while fixed in
unstable already (thus adding along as well the fixed version), it
will affect bookworm, and good if they are fixed before the bookworm
release.
CVE-2023-25652[0]:
| By feeding specially crafted input to `git apply --reject`, a
| path outside the working tree can be overwritten with partially
| controlled contents (corresponding to the rejected hunk(s) from
| the given patch).
CVE-2023-25815[1]:
| When Git is compiled with runtime prefix support and runs without
| translated messages, it still used the gettext machinery to
| display messages, which subsequently potentially looked for
| translated messages in unexpected places. This allowed for
| malicious placement of crafted messages.
CVE-2023-29007[2]:
| When renaming or deleting a section from a configuration file,
| certain malicious configuration values may be misinterpreted as
| the beginning of a new configuration section, leading to arbitrary
| configuration injection.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-25652
https://www.cve.org/CVERecord?id=CVE-2023-25652
[1] https://security-tracker.debian.org/tracker/CVE-2023-25815
https://www.cve.org/CVERecord?id=CVE-2023-25815
[2] https://security-tracker.debian.org/tracker/CVE-2023-29007
https://www.cve.org/CVERecord?id=CVE-2023-29007
[3] https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions git/1:2.40.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 25 Apr 2023 18:39:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 25 Apr 2023 18:48:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 25 Apr 2023 18:48:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1034835.
(Tue, 25 Apr 2023 18:48:09 GMT) (full text, mbox, link).
Message #14 received at 1034835-submitter@bugs.debian.org (full text, mbox, reply):
close 1034835 1:2.40.1-1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Apr 26 13:11:46 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon