[SECURITY] [DLA 3844-1] git security update

To: [email protected]
Subject: [SECURITY] [DLA 3844-1] git security update
From: Sean Whitton <[email protected]>
Date: Wed, 26 Jun 2024 17:31:24 +0800
Message-id: <[🔎] [email protected]>
Mail-followup-to: [email protected]
Reply-to: [email protected]

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3844-1                [email protected]
https://www.debian.org/lts/security/                         Sean Whitton
June 26, 2024                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : git
Version        : 1:2.20.1-2+deb10u9
CVE ID         : CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007
                 CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465
Debian Bug     : 1034835 1071160

Multiple vulnerabilities were found in git, a fast, scalable and
distributed revision control system.

CVE-2019-1387

    It was possible to bypass the previous check for this vulnerability
    using parallel cloning, or the --recurse-submodules option to
    git-checkout(1).

CVE-2023-25652

    Feeding specially-crafted input to 'git apply --reject' could
    overwrite a path outside the working tree with partially controlled
    contents, corresponding to the rejected hunk or hunks from the given
    patch.

CVE-2023-25815

    Low-privileged users could inject malicious messages into Git's
    output under MINGW.

CVE-2023-29007

    A specially-crafted .gitmodules file with submodule URLs longer than
    1024 characters could be used to inject arbitrary configuration into
    $GIT_DIR/config.

CVE-2024-32002

    Repositories with submodules could be specially-crafted to write
    hooks into .git/ which would then be executed during an ongoing
    clone operation.

CVE-2024-32004

    A specially-crafted local repository could cause the execution of
    arbitrary code when cloned by another user.

CVE-2024-32021

    When cloning a local repository that contains symlinks via the
    filesystem, Git could have created hardlinks to arbitrary
    user-readable files on the same filesystem as the target repository
    in the objects/ directory.

CVE-2024-32465

    When cloning a local repository obtained from a downloaded archive,
    hooks in that repository could be used for arbitrary code execution.

For Debian 10 buster, these problems have been fixed in version
1:2.20.1-2+deb10u9.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3842-1] linux-5.10 security update
Next by Date: [SECURITY] [DLA 3843-1] linux-5.10 security update
Previous by thread: [SECURITY] [DLA 3842-1] linux-5.10 security update
Next by thread: [SECURITY] [DLA 3843-1] linux-5.10 security update
Index(es):
- Date
- Thread