Debian LTS: DLA-3844-1: git Security Advisory Updates
Summary
CVE-2019-1387
It was possible to bypass the previous check for this vulnerability
using parallel cloning, or the --recurse-submodules option to
git-checkout(1).
CVE-2023-25652
Feeding specially-crafted input to 'git apply --reject' could
overwrite a path outside the working tree with partially controlled
contents, corresponding to the rejected hunk or hunks from the given
patch.
CVE-2023-25815
Low-privileged users could inject malicious messages into Git's
output under MINGW.
CVE-2023-29007
A specially-crafted .gitmodules file with submodule URLs longer than
1024 characters could be used to inject arbitrary configuration into
$GIT_DIR/config.
CVE-2024-32002
Repositories with submodules could be specially-crafted to write
hooks into .git/ which would then be executed during an ongoing
clone operation.
CVE-2024-32004
A specially-crafted local repository could cause the execution of
arbitrary code when cloned by another user.
CVE-2024-32021
When cloning a local repository that contains symlinks via the
filesystem, Git could have created hardlinks to arbitrary
user-readable files on the same filesystem as the target repository
in the objects/ directory.
CVE-2024-32465
When cloning a local repository obtained from a downloaded archive,
hooks in that repository could be used for arbitrary code execution.
For Debian 10 buster, these problems have been fixed in version
1:2.20.1-2+deb10u9.
We recommend that you upgrade your git packages.
For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
