Skip to content

OSG-SEC-2023-05-24 MEDIUM multiple git vulnerabilities

Dear OSG Security Contacts,

Multiple vulnerabilities have been identified in the git revision control system. Red Hat has flagged two of them as important. These vulnerabilities can be exploited in very specific circumstances to overwrite data in path locations outside of the working tree (CVE-2023-25652) [1] or in an injection attack against a user's git configuration (CVE-2023-29007) [4].

IMPACTED VERSIONS:

Versions of git prior to: 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1 [3][6]

All major Linux distributions are all impacted.

WHAT ARE THE VULNERABILITIES:

CVE-2023-25652: The 'git apply --reject' can be exploited with specially crafted input to overwrite path locations outside the working tree. [2][3]

CVE-2023-29007: Specially crafted .gitmodules files can be used in an injection attack against a user's git configuration. [5][6]

WHAT YOU SHOULD DO:

Patched git packages are available for RHEL and will be available for all RHEL based distributions if they aren't already. Patched git packages are also available for Debian based and Ubuntu distributions. Update the git package on your systems to the latest versions.

For unpatched systems, the recommended mitigations are:

CVE-2023-25652: Avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists. [3]

CVE-2023-29007: Avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config. [6]

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2023-25652

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2188333

[3] https://nvd.nist.gov/vuln/detail/CVE-2023-25652

[4] https://access.redhat.com/security/cve/CVE-2023-29007

[5] https://bugzilla.redhat.com/show_bug.cgi?id=2188338

[6] https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team