On February 14, 2023 1:05 PM, Junio C Hamano wrote: >A maintenance release Git v2.39.2, together with releases for older maintenance >tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and >v2.30.8, are now available at the usual places. > >These maintenance releases are to address two security issues identified as CVE- >2023-22490 and CVE-2023-23946. They both affect ranges of existing versions and >users are strongly encouraged to upgrade. > >The tarballs are found at: > > https://www.kernel.org/pub/software/scm/git/ > >The following public repositories all have a copy of the 'v2.39.2' >tag, as well as the tags for older maintenance tracks listed above. > > url = https://git.kernel.org/pub/scm/git/git > url = https://kernel.googlesource.com/pub/scm/git/git > url = git://repo.or.cz/alt-git.git > url = https://github.com/gitster/git > >The addressed issues are: > > * CVE-2023-22490: > > Using a specially-crafted repository, Git can be tricked into using > its local clone optimization even when using a non-local transport. > Though Git will abort local clones whose source $GIT_DIR/objects > directory contains symbolic links (c.f., CVE-2022-39253), the objects > directory itself may still be a symbolic link. > > These two may be combined to include arbitrary files based on known > paths on the victim's filesystem within the malicious repository's > working copy, allowing for data exfiltration in a similar manner as > CVE-2022-39253. > > * CVE-2023-23946: > > By feeding a crafted input to "git apply", a path outside the > working tree can be overwritten as the user who is running "git > apply". > >Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed by >Taylor Blau, with additional help from others on the Git security mailing list. > >Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix was >developed by Patrick Steinhardt. > >Johannes Schindelin helped greatly in packaging the whole thing and proofreading >the result. NonStop build/test/package cycle has started for 2.39.2. If anyone needs one of the friends built for this platform, please let me know. --Randall
