RE: [Announce] Git 2.39.2 and friends

From: rsbecker
Date: Tue Feb 14 2023 - 13:54:00 EST

Next message: Eric Biggers: "Re: [PATCH v3] sched/psi: fix use-after-free in ep_remove_wait_queue()"
Previous message: Elliot Berman: "Re: [PATCH] firmware: qcom_scm: Use fixed width src vm bitmap"
In reply to: Junio C Hamano: "[Announce] Git 2.39.2 and friends"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On February 14, 2023 1:05 PM, Junio C Hamano wrote:
>A maintenance release Git v2.39.2, together with releases for older
maintenance
>tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6,
v2.31.7, and
>v2.30.8, are now available at the usual places.
>
>These maintenance releases are to address two security issues identified as
CVE-
>2023-22490 and CVE-2023-23946. They both affect ranges of existing
versions and
>users are strongly encouraged to upgrade.
>
>The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
>The following public repositories all have a copy of the 'v2.39.2'
>tag, as well as the tags for older maintenance tracks listed above.
>
> url = https://git.kernel.org/pub/scm/git/git
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = git://repo.or.cz/alt-git.git
> url = https://github.com/gitster/git
>
>The addressed issues are:
>
> * CVE-2023-22490:
>
> Using a specially-crafted repository, Git can be tricked into using
> its local clone optimization even when using a non-local transport.
> Though Git will abort local clones whose source $GIT_DIR/objects
> directory contains symbolic links (c.f., CVE-2022-39253), the objects
> directory itself may still be a symbolic link.
>
> These two may be combined to include arbitrary files based on known
> paths on the victim's filesystem within the malicious repository's
> working copy, allowing for data exfiltration in a similar manner as
> CVE-2022-39253.
>
> * CVE-2023-23946:
>
> By feeding a crafted input to "git apply", a path outside the
> working tree can be overwritten as the user who is running "git
> apply".
>
>Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed
by
>Taylor Blau, with additional help from others on the Git security mailing
list.
>
>Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix
was
>developed by Patrick Steinhardt.
>
>Johannes Schindelin helped greatly in packaging the whole thing and
proofreading
>the result.

NonStop build/test/package cycle has started for 2.39.2. If anyone needs one
of the friends built for this platform, please let me know.
--Randall

Next message: Eric Biggers: "Re: [PATCH v3] sched/psi: fix use-after-free in ep_remove_wait_queue()"
Previous message: Elliot Berman: "Re: [PATCH] firmware: qcom_scm: Use fixed width src vm bitmap"
In reply to: Junio C Hamano: "[Announce] Git 2.39.2 and friends"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]