4583821b53
From the release notes for 2.30.8¹:
* CVE-2023-22490:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
* CVE-2023-23946:
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
* A mismatched type in `attr.c::read_attr_from_index()` which could
cause Git to errantly reject attributes on Windows and 32-bit Linux
has been corrected.
Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
developed by Taylor Blau, with additional help from others on the
Git security mailing list.
Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
fix was developed by Patrick Steinhardt.
¹ https://github.com/git/git/raw/v2.39.2/Documentation/RelNotes/2.30.8.txt
3 lines
318 B
Plaintext
3 lines
318 B
Plaintext
SHA512 (git-2.39.2.tar.xz) = fdca70bee19401c5c7a6d2f3d70bd80b6ba99f6a9f97947de31d4366ee3a78a18d5298abb25727ec8ef67131bca673e48dff2a5a050b6e032884ab04066b20cb
|
|
SHA512 (git-2.39.2.tar.sign) = 9d2641d179f809e55bf44fe9fed9d955e88461fc2cb4120ec3b1cd42944a6715ae9e080ea2e8d53e5e68335b7b4577aa363c836d2af56fbca3820d931b985cd9
|