[SECURITY] [DLA 3867-1] git security update

To: [email protected]
Subject: [SECURITY] [DLA 3867-1] git security update
From: Sean Whitton <[email protected]>
Date: Tue, 03 Sep 2024 11:14:02 +0100
Message-id: <[🔎] [email protected]>
Mail-followup-to: [email protected]
Reply-to: [email protected]

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3867-1                [email protected]
https://www.debian.org/lts/security/                         Sean Whitton
September 03, 2024                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : git
Version        : 1:2.30.2-1+deb11u3
CVE ID         : CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007
                 CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465
Debian Bug     : 1034835 1071160

Multiple vulnerabilities were discovered in git, a fast, scalable and
distributed revision control system.

CVE-2019-1387

    It was possible to bypass the previous check for this vulnerability
    using parallel cloning, or the --recurse-submodules option to
    git-checkout(1).

CVE-2023-25652

    Feeding specially-crafted input to 'git apply --reject' could
    overwrite a path outside the working tree with partially controlled
    contents, corresponding to the rejected hunk or hunks from the given
    patch.

CVE-2023-25815

    Low-privileged users could inject malicious messages into Git's
    output under MINGW.

CVE-2023-29007

    A specially-crafted .gitmodules file with submodule URLs longer than
    1024 characters could be used to inject arbitrary configuration into
    $GIT_DIR/config.

CVE-2024-32002

    Repositories with submodules could be specially-crafted to write
    hooks into .git/ which would then be executed during an ongoing
    clone operation.

CVE-2024-32004

    A specially-crafted local repository could cause the execution of
    arbitrary code when cloned by another user.

CVE-2024-32021

    When cloning a local repository that contains symlinks via the
    filesystem, Git could have created hardlinks to arbitrary
    user-readable files on the same filesystem as the target repository
    in the objects/ directory.

CVE-2024-32465

    When cloning a local repository obtained from a downloaded archive,
    hooks in that repository could be used for arbitrary code execution.

For Debian 11 bullseye, these problems have been fixed in version
1:2.30.2-1+deb11u3.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3866-1] ruby-tzinfo security update
Next by Date: [SECURITY] [DLA 3868-1] ruby-nokogiri security update
Previous by thread: [SECURITY] [DLA 3866-1] ruby-tzinfo security update
Next by thread: [SECURITY] [DLA 3868-1] ruby-nokogiri security update
Index(es):
- Date
- Thread

	
		OSZAR »