lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 14 Feb 2023 13:42:52 -0500
From:   <rsbecker@...bridge.com>
To:     "'Junio C Hamano'" <gitster@...ox.com>, <git@...r.kernel.org>
Cc:     "'Linux Kernel'" <linux-kernel@...r.kernel.org>,
        <git-packagers@...glegroups.com>,
        <oss-security@...ts.openwall.com>, <git-security@...glegroups.com>
Subject: RE: [Announce] Git 2.39.2 and friends

On February 14, 2023 1:05 PM, Junio C Hamano wrote:
>A maintenance release Git v2.39.2, together with releases for older
maintenance
>tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6,
v2.31.7, and
>v2.30.8, are now available at the usual places.
>
>These maintenance releases are to address two security issues identified as
CVE-
>2023-22490 and CVE-2023-23946.  They both affect ranges of existing
versions and
>users are strongly encouraged to upgrade.
>
>The tarballs are found at:
>
>    https://www.kernel.org/pub/software/scm/git/
>
>The following public repositories all have a copy of the 'v2.39.2'
>tag, as well as the tags for older maintenance tracks listed above.
>
>  url = https://git.kernel.org/pub/scm/git/git
>  url = https://kernel.googlesource.com/pub/scm/git/git
>  url = git://repo.or.cz/alt-git.git
>  url = https://github.com/gitster/git
>
>The addressed issues are:
>
> * CVE-2023-22490:
>
>   Using a specially-crafted repository, Git can be tricked into using
>   its local clone optimization even when using a non-local transport.
>   Though Git will abort local clones whose source $GIT_DIR/objects
>   directory contains symbolic links (c.f., CVE-2022-39253), the objects
>   directory itself may still be a symbolic link.
>
>   These two may be combined to include arbitrary files based on known
>   paths on the victim's filesystem within the malicious repository's
>   working copy, allowing for data exfiltration in a similar manner as
>   CVE-2022-39253.
>
> * CVE-2023-23946:
>
>   By feeding a crafted input to "git apply", a path outside the
>   working tree can be overwritten as the user who is running "git
>   apply".
>
>Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed
by
>Taylor Blau, with additional help from others on the Git security mailing
list.
>
>Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix
was
>developed by Patrick Steinhardt.
>
>Johannes Schindelin helped greatly in packaging the whole thing and
proofreading
>the result.

NonStop build/test/package cycle has started for 2.39.2. If anyone needs one
of the friends built for this platform, please let me know.
--Randall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ