52 lines
1.7 KiB
Plaintext
52 lines
1.7 KiB
Plaintext
Git v2.30.8 Release Notes
|
|
=========================
|
|
|
|
This release addresses the security issues CVE-2023-22490 and
|
|
CVE-2023-23946.
|
|
|
|
|
|
Fixes since v2.30.7
|
|
-------------------
|
|
|
|
* CVE-2023-22490:
|
|
|
|
Using a specially-crafted repository, Git can be tricked into using
|
|
its local clone optimization even when using a non-local transport.
|
|
Though Git will abort local clones whose source $GIT_DIR/objects
|
|
directory contains symbolic links (c.f., CVE-2022-39253), the objects
|
|
directory itself may still be a symbolic link.
|
|
|
|
These two may be combined to include arbitrary files based on known
|
|
paths on the victim's filesystem within the malicious repository's
|
|
working copy, allowing for data exfiltration in a similar manner as
|
|
CVE-2022-39253.
|
|
|
|
* CVE-2023-23946:
|
|
|
|
By feeding a crafted input to "git apply", a path outside the
|
|
working tree can be overwritten as the user who is running "git
|
|
apply".
|
|
|
|
* A mismatched type in `attr.c::read_attr_from_index()` which could
|
|
cause Git to errantly reject attributes on Windows and 32-bit Linux
|
|
has been corrected.
|
|
|
|
Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
|
|
developed by Taylor Blau, with additional help from others on the
|
|
Git security mailing list.
|
|
|
|
Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
|
|
fix was developed by Patrick Steinhardt.
|
|
|
|
|
|
Johannes Schindelin (1):
|
|
attr: adjust a mismatched data type
|
|
|
|
Patrick Steinhardt (1):
|
|
apply: fix writing behind newly created symbolic links
|
|
|
|
Taylor Blau (3):
|
|
t5619: demonstrate clone_local() with ambiguous transport
|
|
clone: delay picking a transport until after get_repo_path()
|
|
dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
|