{"schema_version":"1.7.2","id":"OESA-2023-1120","modified":"2023-02-24T11:04:57Z","published":"2023-02-24T11:04:57Z","upstream":["CVE-2023-22490","CVE-2023-23946"],"summary":"git security update","details":"Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim\u0026apos;s filesystem within the malicious repository\u0026apos;s working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.(CVE-2023-22490)\r\n\r\nGit, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.(CVE-2023-23946)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.27.0-12.oe1"}]}],"ecosystem_specific":{"aarch64":["git-debugsource-2.27.0-12.oe1.aarch64.rpm","git-debuginfo-2.27.0-12.oe1.aarch64.rpm","git-daemon-2.27.0-12.oe1.aarch64.rpm","git-2.27.0-12.oe1.aarch64.rpm"],"noarch":["perl-Git-2.27.0-12.oe1.noarch.rpm","git-web-2.27.0-12.oe1.noarch.rpm","gitk-2.27.0-12.oe1.noarch.rpm","git-email-2.27.0-12.oe1.noarch.rpm","git-gui-2.27.0-12.oe1.noarch.rpm","git-help-2.27.0-12.oe1.noarch.rpm","git-svn-2.27.0-12.oe1.noarch.rpm","perl-Git-SVN-2.27.0-12.oe1.noarch.rpm"],"src":["git-2.27.0-12.oe1.src.rpm"],"x86_64":["git-debuginfo-2.27.0-12.oe1.x86_64.rpm","git-daemon-2.27.0-12.oe1.x86_64.rpm","git-debugsource-2.27.0-12.oe1.x86_64.rpm","git-2.27.0-12.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.27.0-15.oe1"}]}],"ecosystem_specific":{"aarch64":["git-2.27.0-15.oe1.aarch64.rpm","git-debugsource-2.27.0-15.oe1.aarch64.rpm","git-debuginfo-2.27.0-15.oe1.aarch64.rpm","git-daemon-2.27.0-15.oe1.aarch64.rpm"],"noarch":["git-svn-2.27.0-15.oe1.noarch.rpm","gitk-2.27.0-15.oe1.noarch.rpm","git-help-2.27.0-15.oe1.noarch.rpm","git-gui-2.27.0-15.oe1.noarch.rpm","git-email-2.27.0-15.oe1.noarch.rpm","git-web-2.27.0-15.oe1.noarch.rpm","perl-Git-SVN-2.27.0-15.oe1.noarch.rpm","perl-Git-2.27.0-15.oe1.noarch.rpm"],"src":["git-2.27.0-15.oe1.src.rpm"],"x86_64":["git-daemon-2.27.0-15.oe1.x86_64.rpm","git-debuginfo-2.27.0-15.oe1.x86_64.rpm","git-debugsource-2.27.0-15.oe1.x86_64.rpm","git-2.27.0-15.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.33.0-9.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["git-2.33.0-8.oe2203.aarch64.rpm","git-daemon-2.33.0-8.oe2203.aarch64.rpm","git-debuginfo-2.33.0-8.oe2203.aarch64.rpm","git-debugsource-2.33.0-8.oe2203.aarch64.rpm","git-debuginfo-2.33.0-9.oe2203sp1.aarch64.rpm","git-daemon-2.33.0-9.oe2203sp1.aarch64.rpm","git-core-2.33.0-9.oe2203sp1.aarch64.rpm","git-debugsource-2.33.0-9.oe2203sp1.aarch64.rpm","git-2.33.0-9.oe2203sp1.aarch64.rpm"],"noarch":["perl-Git-2.33.0-8.oe2203.noarch.rpm","git-gui-2.33.0-8.oe2203.noarch.rpm","git-svn-2.33.0-8.oe2203.noarch.rpm","perl-Git-SVN-2.33.0-8.oe2203.noarch.rpm","gitk-2.33.0-8.oe2203.noarch.rpm","git-help-2.33.0-8.oe2203.noarch.rpm","git-web-2.33.0-8.oe2203.noarch.rpm","git-email-2.33.0-8.oe2203.noarch.rpm","git-help-2.33.0-9.oe2203sp1.noarch.rpm","gitk-2.33.0-9.oe2203sp1.noarch.rpm","git-gui-2.33.0-9.oe2203sp1.noarch.rpm","perl-Git-2.33.0-9.oe2203sp1.noarch.rpm","git-email-2.33.0-9.oe2203sp1.noarch.rpm","git-svn-2.33.0-9.oe2203sp1.noarch.rpm","git-web-2.33.0-9.oe2203sp1.noarch.rpm","perl-Git-SVN-2.33.0-9.oe2203sp1.noarch.rpm"],"src":["git-2.33.0-8.oe2203.src.rpm","git-2.33.0-9.oe2203sp1.src.rpm"],"x86_64":["git-debuginfo-2.33.0-8.oe2203.x86_64.rpm","git-debugsource-2.33.0-8.oe2203.x86_64.rpm","git-daemon-2.33.0-8.oe2203.x86_64.rpm","git-2.33.0-8.oe2203.x86_64.rpm","git-daemon-2.33.0-9.oe2203sp1.x86_64.rpm","git-2.33.0-9.oe2203sp1.x86_64.rpm","git-core-2.33.0-9.oe2203sp1.x86_64.rpm","git-debuginfo-2.33.0-9.oe2203sp1.x86_64.rpm","git-debugsource-2.33.0-9.oe2203sp1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"git","purl":"pkg:rpm/openEuler/git\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.33.0-9.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["git-debuginfo-2.33.0-9.oe2203sp1.aarch64.rpm","git-daemon-2.33.0-9.oe2203sp1.aarch64.rpm","git-core-2.33.0-9.oe2203sp1.aarch64.rpm","git-debugsource-2.33.0-9.oe2203sp1.aarch64.rpm","git-2.33.0-9.oe2203sp1.aarch64.rpm"],"noarch":["git-help-2.33.0-9.oe2203sp1.noarch.rpm","gitk-2.33.0-9.oe2203sp1.noarch.rpm","git-gui-2.33.0-9.oe2203sp1.noarch.rpm","perl-Git-2.33.0-9.oe2203sp1.noarch.rpm","git-email-2.33.0-9.oe2203sp1.noarch.rpm","git-svn-2.33.0-9.oe2203sp1.noarch.rpm","git-web-2.33.0-9.oe2203sp1.noarch.rpm","perl-Git-SVN-2.33.0-9.oe2203sp1.noarch.rpm"],"src":["git-2.33.0-9.oe2203sp1.src.rpm"],"x86_64":["git-daemon-2.33.0-9.oe2203sp1.x86_64.rpm","git-2.33.0-9.oe2203sp1.x86_64.rpm","git-core-2.33.0-9.oe2203sp1.x86_64.rpm","git-debuginfo-2.33.0-9.oe2203sp1.x86_64.rpm","git-debugsource-2.33.0-9.oe2203sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22490"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23946"}],"database_specific":{"severity":"Medium"}}