Git 2.40.1 has been released to address three new security vulnerabilities being disclosed, which have been classified as “high-severity” by the National Vulnerability Database (NVD) due to their high confidentiality, integrity and availability impact, and the low attack complexity and lack of privileges required to exploit them. Due to these security fixes, updates for prior stable Git series are also availble with v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9.
The three Git security vulnerabilities recently discovered and fixed are CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007. These vulnerabilities could lead to a path outside of the Git working tree potentially being overwritten with partially controlled contents, the possibility of malicious placement of crafted messages when Git is built without translated messages, and the third vulnerability is around arbitrary configuration injection.
- CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).
- CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.
- CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.
Further details on these updates and downloads can be accessed via the release annoncement.
To stay on top of important updates released by the open-source programs and applications you use, be sure to register as a LinuxSecurity user, then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use. This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.
Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).