rpms/git
6
0
Fork 0
Code Issues Pull Requests Releases Activity

update to 2.39.2 (CVE-2023-22490, CVE-2023-23946)

Browse Source 
From the release notes for 2.30.8¹:

     * CVE-2023-22490:

       Using a specially-crafted repository, Git can be tricked into using
       its local clone optimization even when using a non-local transport.
       Though Git will abort local clones whose source $GIT_DIR/objects
       directory contains symbolic links (c.f., CVE-2022-39253), the objects
       directory itself may still be a symbolic link.

       These two may be combined to include arbitrary files based on known
       paths on the victim's filesystem within the malicious repository's
       working copy, allowing for data exfiltration in a similar manner as
       CVE-2022-39253.

     * CVE-2023-23946:

       By feeding a crafted input to "git apply", a path outside the
       working tree can be overwritten as the user who is running "git
       apply".

     * A mismatched type in `attr.c::read_attr_from_index()` which could
       cause Git to errantly reject attributes on Windows and 32-bit Linux
       has been corrected.

    Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
    developed by Taylor Blau, with additional help from others on the
    Git security mailing list.

    Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
    fix was developed by Patrick Steinhardt.

¹ https://github.com/git/git/raw/v2.39.2/Documentation/RelNotes/2.30.8.txt
This commit is contained in:
Todd Zullinger 2023-02-14 13:15:01 -05:00
parent 7c34cecc4c
commit 4583821b53
2 changed files with 7 additions and 4 deletions

7
git.spec
View File

@ -80,8 +80,8 @@
%global _package_note_file %{_builddir}/%{name}-%{version}%{?rcrev}/.package_note-%{name}-%{version}-%{release}.%{_arch}.ld
Name: git
Version: 2.39.1
Release: 2%{?rcrev}%{?dist}
Version: 2.39.2
Release: 1%{?rcrev}%{?dist}
Summary: Fast Version Control System
License: BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
URL: https://git-scm.com/
@ -1035,6 +1035,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
%{?with_docs:%{_pkgdocdir}/git-svn.html}
%changelog
* Tue Feb 14 2023 Todd Zullinger <tmz@pobox.com> - 2.39.2-1
- update to 2.39.2 (CVE-2023-22490, CVE-2023-23946)
* Fri Feb 03 2023 Todd Zullinger <tmz@pobox.com> - 2.39.1-2
- drop perl Email::Valid dep on RHEL (#2166718)

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (git-2.39.1.tar.xz) = b1821a814947f01adf98206a7e9a01da9daa617b1192e8ef6968b05af8d874f028fb26b5f828a9c48f734ef2c276f4d23bdc898ba46fb7aaa96dbe68081037e9
SHA512 (git-2.39.1.tar.sign) = b6295e186263654b686fd0f0814a68dfbd04635ff4d613a09fa9d13897b584d06611903bc0205ecee6f01932c4065d20671bd91f8e6239a5f9c6a2fc6c38b87d
SHA512 (git-2.39.2.tar.xz) = fdca70bee19401c5c7a6d2f3d70bd80b6ba99f6a9f97947de31d4366ee3a78a18d5298abb25727ec8ef67131bca673e48dff2a5a050b6e032884ab04066b20cb
SHA512 (git-2.39.2.tar.sign) = 9d2641d179f809e55bf44fe9fed9d955e88461fc2cb4120ec3b1cd42944a6715ae9e080ea2e8d53e5e68335b7b4577aa363c836d2af56fbca3820d931b985cd9