If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
The release of new Git maintenance fixes v2.40.1, along with maintenance releases for previous versions v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8,
v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9, this because information was released that five vulnerabilities were identified in Git.
The release of these maintenance releases are for the purpose of addressing identified security issues such as CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007.
About Git vulnerabilities
Vulnerability CVE-2023-29007 allows configuration substitution in the configuration file $GIT_DIR/config, which can be used to execute code on the system by specifying paths to executable files in the core.pager, core.editor, and core.sshCommand directives.
Vulnerability is due to a logic error due to very long configuration values they can be treated as the start of a new section by renaming or removing a section from a configuration file.
In practice, substitution of exploit values can be achieved by specifying very long submodule URLs that are saved in the $GIT_DIR/config file during initialization. These URLs can be interpreted as new configurations when you try to remove them via "git submodule deinit".
Another vulnerability is CVE-2023-25652 allowing to overwrite the content of files outside of the working tree when processing specially designed patches with the command "git apply --reject«. If you try to run a malicious patch with the command "git apply» that attempts to write to a file via a symbolic link, the operation will be rejected.
For its part, vulnerability CVE-2023-25815: when Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed malicious posting of manipulated messages.
In Git 2.39.1, protection against symlink tampering has been extended to block patches that create symlinks and attempt to write through them. The essence of the vulnerability in question is that Git did not take into account that the user can execute the command "git apply –reject" to write the rejected parts of the patch as files with the extension ".rej" and the attacker can use this function to write the content to an arbitrary directory, to the extent that current access rights allow.
In addition, Fixed three vulnerabilities that appear only on Windows:
- CVE-2023-29012: (it looks for the doskey.exe executable in the repository working directory when executing the "Git CMD" command, which allows to organize the execution of its code on the user's system)
- CVE-2023-25815: Buffer overflow when processing custom localization files in gettext. This vulnerability affects users working on Windows machines to which other untrusted parties have write access. Typically, all authenticated users have permission to create folders on C:\, which allows malicious actors to inject bad messages into git.exe.
- CVE-2023-29011: Possibility to replace the connect.exe file when working through SOCKS5. The location of the connect.exe configuration file is hardcoded to a path that is generally interpreted as C:\etc\connectrc, which is similarly amenable to the above.
How to Live Aligned with alternative solution to protect against vulnerabilities, it is recommended to avoid running the command «git apply --reject» when working with unverified external patches and verifying the content of $GIT_DIR/config before executing the commands "git submodule deinit","gitconfig --rename-section" and "git config --remove-section" when dealing with untrusted repositories.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link.
For those interested in following the release of package updates in distributions, you can do so on the pages of Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD.