Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-25652 #1739

Closed
GoVulnBot opened this issue Apr 25, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-25652 #1739

GoVulnBot opened this issue Apr 25, 2023 · 1 comment
Assignees
@zpavlinovic
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-25652 references github.com/git/git, which may be a Go module.

Description:
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/git/git
    packages:
      - package: git
description: |
    Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
cves:
  - CVE-2023-25652
references:
  - advisory: https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
  - fix: https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
  - fix: https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
@zpavlinovic zpavlinovic self-assigned this Apr 25, 2023
@zpavlinovic zpavlinovic added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Apr 25, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

This was referenced Nov 8, 2023
Closed
Closed
Closed
Closed
Closed
This was referenced May 14, 2024
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot