31553 – git new security issues CVE-2023-22490 and CVE-2023-23946

Bug 31553 - git new security issues CVE-2023-22490 and CVE-2023-23946

Summary: git new security issues CVE-2023-22490 and CVE-2023-23946

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-02-15 17:04 CET by David Walser
Modified:	2023-02-27 21:29 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	git-2.30.7-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-15 17:04:01 CET

Git 2.30.8 has been released on February 14, fixing security issues:
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.30.8.txt
https://lore.kernel.org/git/004a01d940a4$289e56a0$79db03e0$@nexbridge.com/T/

Updated package uploaded for Mageia 8.

Advisory:
========================

Updated git packages fix security vulnerabilities:

Using a specially-crafted repository, Git can be tricked into using its local
clone optimization even when using a non-local transport. Though Git will
abort local clones whose source $GIT_DIR/objects directory contains symbolic
links, the objects directory itself may still be a symbolic link. These two
may be combined to include arbitrary files based on known paths on the
victim's filesystem within the malicious repository's working copy, allowing
for data exfiltration in a similar manner as CVE-2022-39253 (CVE-2023-22490).

By feeding a crafted input to "git apply", a path outside the working tree can
be overwritten as the user who is running "git apply" (CVE-2023-23946).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.30.8.txt
https://lore.kernel.org/git/004a01d940a4$289e56a0$79db03e0$@nexbridge.com/T/
========================

Updated packages in core/updates_testing:
========================
git-2.30.8-1.mga8
git-arch-2.30.8-1.mga8
git-core-2.30.8-1.mga8
git-core-oldies-2.30.8-1.mga8
git-cvs-2.30.8-1.mga8
git-email-2.30.8-1.mga8
git-prompt-2.30.8-1.mga8
git-subtree-2.30.8-1.mga8
git-svn-2.30.8-1.mga8
gitk-2.30.8-1.mga8
gitweb-2.30.8-1.mga8
lib(64)git-devel-2.30.8-1.mga8
perl-Git-2.30.8-1.mga8
perl-Git-SVN-2.30.8-1.mga8

from SRPM:
git-2.30.8-1.mga8.src.rpm

Comment 1 David Walser 2023-02-15 17:46:26 CET

Ubuntu has issued an advisory for this on February 14:
https://ubuntu.com/security/notices/USN-5871-1

Comment 2 David Walser 2023-02-16 21:16:48 CET

Upstream advisories:
https://github.com/git/git/security/advisories/GHSA-gw92-x3fm-3g3q
https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh

Comment 3 Herman Viaene 2023-02-21 14:55:36 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
After removing the previous .git folder from my home, followed procedure as in bug 30985 Comment 6.
$ git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in /home/tester8/.git/
$ git config --global user.name "tester8"
$ git config --global user.email "herman.viaene@hotmail.be"
$ git add ~/Documents/exo.txt
$ git branch
$ git show
fatal: your current branch 'master' does not have any commits yet
$ git commit
[master (root-commit) 662607c] testgit 2.30.8
 1 file changed, 1293 insertions(+)
 create mode 100644 Documents/exo.txt
$ git show
commit 662607cdfa163e81a0ffca04307434d7fc92e9ab (HEAD -> master)
Author: tester8 <herman.viaene@hotmail.be>
Date:   Tue Feb 21 14:48:50 2023 +0100

    testgit 2.30.8

diff --git a/Documents/exo.txt b/Documents/exo.txt
new file mode 100644
index 0000000..3902b92
--- /dev/null
+++ b/Documents/exo.txt
@@ -0,0 +1,1293 @@
+execve("/usr/bin/thunar", ["thunar"], 0x7ffc418dda20 /* 68 vars */) = 0
+brk(NULL)                               = 0xf1e000
+access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
+openat(AT_FDCWD, "/usr/lib64/tls/x86_64/x86_64/libthunarx-3.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
+stat("/usr/lib64/tls/x86_64/x86_64", 0x7fffca3a1f90) = -1 ENOENT (No such file or directory)
and the rest of the file .....
OK as in previous test

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-02-21 16:53:18 CET

Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 20:39:52 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-02-27 21:29:09 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0066.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.