Git 2.40.1 & Other Updates Address Three High-Impact Security Vulnerabilities

The three Git security vulnerabilities recently discovered and fixed are CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007. These vulnerabilities could lead to a path outside of the Git working tree potentially being overwritten with partially controlled contents, the possibility of malicious placement of crafted messages when Git is built without translated messages, and the third vulnerability is around arbitrary configuration injection.

• CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).
• CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.
• CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.

Further details on these updates and downloads can be accessed via the release annoncement.

To stay on top of important updates released by the open-source programs and applications you use, be sure to register as a LinuxSecurity user, then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use. This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.

Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).