Vulnerability CVE-2023-25652: Information
Description
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
git | sisyphus | 2.33.8-alt1 | 2.42.2-alt1 | ALT-PU-2023-1675-1 | 319318 | Fixed |
git | sisyphus_e2k | 2.33.8-alt1 | 2.42.2-alt1 | ALT-PU-2023-3293-1 | - | Fixed |
git | sisyphus_riscv64 | 2.33.8-alt1 | 2.42.2-alt1 | ALT-PU-2023-3316-1 | - | Fixed |
git | p10 | 2.33.8-alt1 | 2.33.8-alt1 | ALT-PU-2023-1695-1 | 319522 | Fixed |
git | p10_e2k | 2.33.8-alt1 | 2.33.8-alt1 | ALT-PU-2023-3281-1 | - | Fixed |
git | c10f1 | 2.33.8-alt1 | 2.42.1-alt1 | ALT-PU-2023-1695-1 | 319522 | Fixed |
git | c9f2 | 2.33.8-alt1 | 2.42.1-alt1 | ALT-PU-2023-4135-1 | 324144 | Fixed |