Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Slackware 14.0+: 2023-046-02 Moderate: Git Data Exfiltration Risk

slackware
Calendar Grey February 15, 2023
Dist Slackware Esm H88
Updated git distributions are now accessible for Slackware 14.0 and newer to resolve security vulnerabilities that affect local clone efficiency.
New git packages are available for Slackware 14.0, 14.1, 14.2, 15.0, and -current to fix security issues

Summary

Here are the details from the Slackware 15.0 ChangeLog: patches/packages/git-2.35.7-i586-1_slack15.0.txz: Upgraded. This update fixes security issues: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-22490 https://www.cve.org/CVERecord?id=CVE-2023-23946 (* Security

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory moderate security fix slackware data exfiltration git local clone

Where Find New Packages

Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you.
Updated package for Slackware 14.0:
Updated package for Slackware x86_64 14.0:
Updated package for Slackware 14.1:
Updated package for Slackware x86_64 14.1:
Updated package for Slackware 14.2:
Updated package for Slackware x86_64 14.2:
Updated package for Slackware 15.0:
Updated package for Slackware x86_64 15.0:
Updated package for Slackware -current:
Updated package for Slackware x86_64 -current:

MD5 Signatures

Slackware 14.0 package: a526556bbddfbaa01cdb4332325107dc git-2.30.8-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 38ce3e7dff136d964714e8fa6f43d18c git-2.30.8-x86_64-1_slack14.0.txz
Slackware 14.1 package: 8ec5136dac11c68e30f17ba7026f50b7 git-2.30.8-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: de60fa818a29bd0ea12ac4dc4737844d git-2.30.8-x86_64-1_slack14.1.txz
Slackware 14.2 package: 7a441db9224ab67a0243a89f1fe0afc2 git-2.30.8-i586-1_slack14.2.txz
Slackware x86_64 14.2 package: 9f3b54344f2a56b69178fd485abb6419 git-2.30.8-x86_64-1_slack14.2.txz
Slackware 15.0 package: 838afcf8c90b71ebf068bc7d48f8aa7c git-2.35.7-i586-1_slack15.0.txz
Slackware x86_64 15.0 package: 8b419dff69edf2f63b89c75918a1b0da git-2.35.7-x86_64-1_slack15.0.txz
Slackware -current package: fbef317c572024fcfa96bec120875a24 d/git-2.39.2-i586-1.txz
Slackware x86_64 -current package: 7bcf831465983f40555012389f3958cb d/git-2.39.2-x86_64-1.txz

Topics%20covered

Topics Covered

security advisory moderate security fix slackware data exfiltration git local clone

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Installation Instructions

Installation instructions: Upgrade the package as root: # upgradepkg git-2.35.7-i586-1_slack15.0.txz

Related News

Your message here