Headline
RHSA-2023:0609: Red Hat Security Advisory: git security update
An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted
.gitattributes
file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index, or both. This integer overflow can result in arbitrary heap reads and writes, which may allow remote code execution. - CVE-2022-41903: A flaw was found in Git, a distributed revision control system. This issue occurs due to an integer overflow in pretty.c::format_and_pad_commit()
, where a
size_tis stored improperly as an
int, and then added as an offset to a
memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g.,
git log --format=…`). It may also be triggered indirectly through the git archive via the export-subst mechanism, which expands format specifiers inside files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution.
概要
Important: git security update
タイプ/重大度
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
トピック
An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
説明
Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
- git: gitattributes parsing integer overflow (CVE-2022-23521)
- git: Heap overflow in `git archive`, `git log --format` leading to RCE (CVE-2022-41903)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
影響を受ける製品
- Red Hat Enterprise Linux Server - AUS 8.2 x86_64
- Red Hat Enterprise Linux Server - TUS 8.2 x86_64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2 x86_64
修正
- BZ - 2162055 - CVE-2022-23521 git: gitattributes parsing integer overflow
- BZ - 2162056 - CVE-2022-41903 git: Heap overflow in `git archive`, `git log --format` leading to RCE
参考資料
- https://access.redhat.com/security/updates/classification/#important
Red Hat Enterprise Linux Server - AUS 8.2
SRPM
git-2.18.4-3.el8_2.src.rpm
SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b
x86_64
git-2.18.4-3.el8_2.x86_64.rpm
SHA-256: c1de6ab86f6491ecb03d0d6bac2ce23979f2697a5aecc045273ac14a3710259b
git-all-2.18.4-3.el8_2.noarch.rpm
SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228
git-core-2.18.4-3.el8_2.x86_64.rpm
SHA-256: afe4dbf85d4c9b6121e20345a8e10d140f7b5e5607c0217d6c89dae6690e82c9
git-core-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 121657287371655f84ab37195de765054d5e8a391d73ce05283ad98a10e6b8c0
git-core-doc-2.18.4-3.el8_2.noarch.rpm
SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645
git-daemon-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 02428b3c36d82eb611764dc078fb0040198eb918f6664e6a15adc14c4f13907e
git-daemon-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 6ea33f57fba614dc1581dade2459b1726b261098c8e7a3cabbe793567ee642d5
git-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: bb403256ea03efa30cbd2627706e95574c80ec1c0b132a729148885b376e31f8
git-debugsource-2.18.4-3.el8_2.x86_64.rpm
SHA-256: cbd38afc69c298fff22a84bd51d73db4d32a0ae2a1e1e13727891508e6c8491e
git-email-2.18.4-3.el8_2.noarch.rpm
SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6
git-gui-2.18.4-3.el8_2.noarch.rpm
SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c
git-instaweb-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 829a290f3cf272dbce94ecec4f7b3f847e18e724344b6a8997261e60d11f5835
git-subtree-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 30be54ca22a9205cb96658ae146abe131a613dff6a2f7c47b045a1d62d0e2666
git-svn-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 24ce18f609c27fe5040e392f545f9885e3c5ee182ed107bfc145fd4c4cb33dc7
git-svn-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: cbfabe763ed5853e70881d83c6aab22707434de23da27ac652d9e9e6fc80d865
gitk-2.18.4-3.el8_2.noarch.rpm
SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951
gitweb-2.18.4-3.el8_2.noarch.rpm
SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f
perl-Git-2.18.4-3.el8_2.noarch.rpm
SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935
perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm
SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872
Red Hat Enterprise Linux Server - TUS 8.2
SRPM
git-2.18.4-3.el8_2.src.rpm
SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b
x86_64
git-2.18.4-3.el8_2.x86_64.rpm
SHA-256: c1de6ab86f6491ecb03d0d6bac2ce23979f2697a5aecc045273ac14a3710259b
git-all-2.18.4-3.el8_2.noarch.rpm
SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228
git-core-2.18.4-3.el8_2.x86_64.rpm
SHA-256: afe4dbf85d4c9b6121e20345a8e10d140f7b5e5607c0217d6c89dae6690e82c9
git-core-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 121657287371655f84ab37195de765054d5e8a391d73ce05283ad98a10e6b8c0
git-core-doc-2.18.4-3.el8_2.noarch.rpm
SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645
git-daemon-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 02428b3c36d82eb611764dc078fb0040198eb918f6664e6a15adc14c4f13907e
git-daemon-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 6ea33f57fba614dc1581dade2459b1726b261098c8e7a3cabbe793567ee642d5
git-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: bb403256ea03efa30cbd2627706e95574c80ec1c0b132a729148885b376e31f8
git-debugsource-2.18.4-3.el8_2.x86_64.rpm
SHA-256: cbd38afc69c298fff22a84bd51d73db4d32a0ae2a1e1e13727891508e6c8491e
git-email-2.18.4-3.el8_2.noarch.rpm
SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6
git-gui-2.18.4-3.el8_2.noarch.rpm
SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c
git-instaweb-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 829a290f3cf272dbce94ecec4f7b3f847e18e724344b6a8997261e60d11f5835
git-subtree-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 30be54ca22a9205cb96658ae146abe131a613dff6a2f7c47b045a1d62d0e2666
git-svn-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 24ce18f609c27fe5040e392f545f9885e3c5ee182ed107bfc145fd4c4cb33dc7
git-svn-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: cbfabe763ed5853e70881d83c6aab22707434de23da27ac652d9e9e6fc80d865
gitk-2.18.4-3.el8_2.noarch.rpm
SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951
gitweb-2.18.4-3.el8_2.noarch.rpm
SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f
perl-Git-2.18.4-3.el8_2.noarch.rpm
SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935
perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm
SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2
SRPM
git-2.18.4-3.el8_2.src.rpm
SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b
ppc64le
git-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: 5cd112f66427eb9f980b5939e9f34ac4df3c2c06d9325f6f706f79a98535aead
git-all-2.18.4-3.el8_2.noarch.rpm
SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228
git-core-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: c1041fb88d0e4b71ca56e3f53cdfcdd44077877c5fc0a0e7ab3f0e8155a27159
git-core-debuginfo-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: e18509ae5e7debc83b0a85866c3e3681934b104291ec1543dea5c316f3dac5e9
git-core-doc-2.18.4-3.el8_2.noarch.rpm
SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645
git-daemon-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: d4900cd4c9f7aa2ea1de15b8cd251d5b28e801c2486e109702354fb774a8155c
git-daemon-debuginfo-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: e28ced9897058664052f2f17adada92853f9dcad84c5032dc1aeaa6ec543b7b1
git-debuginfo-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: dc7af65947f4a337e2de05ff721a74ce1c5d2486249f339ae42c45970a0406b0
git-debugsource-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: ccf1342bbf95ad32c6af7b5ef864038526cff8109d913aeadea14ee6db72b9c1
git-email-2.18.4-3.el8_2.noarch.rpm
SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6
git-gui-2.18.4-3.el8_2.noarch.rpm
SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c
git-instaweb-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: 7470ba8009cc09d7133b5c0d312a7cd0b8bbc40ea164f53c5bdbd0dae30ae1a0
git-subtree-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: 241e197d9d93d9c4fe7bf294ee7e809c28e31abb761915dc4c8d35e9b17bf141
git-svn-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: 030cde5e7ea5ce64272af540ea56011e6f9dd9d2f055209c668f9431788f6ea9
git-svn-debuginfo-2.18.4-3.el8_2.ppc64le.rpm
SHA-256: a09be6851454e28c137dff4b6b783cef5883b0dd97b9a26de56b51f8b6d68cec
gitk-2.18.4-3.el8_2.noarch.rpm
SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951
gitweb-2.18.4-3.el8_2.noarch.rpm
SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f
perl-Git-2.18.4-3.el8_2.noarch.rpm
SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935
perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm
SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2
SRPM
git-2.18.4-3.el8_2.src.rpm
SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b
x86_64
git-2.18.4-3.el8_2.x86_64.rpm
SHA-256: c1de6ab86f6491ecb03d0d6bac2ce23979f2697a5aecc045273ac14a3710259b
git-all-2.18.4-3.el8_2.noarch.rpm
SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228
git-core-2.18.4-3.el8_2.x86_64.rpm
SHA-256: afe4dbf85d4c9b6121e20345a8e10d140f7b5e5607c0217d6c89dae6690e82c9
git-core-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 121657287371655f84ab37195de765054d5e8a391d73ce05283ad98a10e6b8c0
git-core-doc-2.18.4-3.el8_2.noarch.rpm
SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645
git-daemon-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 02428b3c36d82eb611764dc078fb0040198eb918f6664e6a15adc14c4f13907e
git-daemon-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 6ea33f57fba614dc1581dade2459b1726b261098c8e7a3cabbe793567ee642d5
git-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: bb403256ea03efa30cbd2627706e95574c80ec1c0b132a729148885b376e31f8
git-debugsource-2.18.4-3.el8_2.x86_64.rpm
SHA-256: cbd38afc69c298fff22a84bd51d73db4d32a0ae2a1e1e13727891508e6c8491e
git-email-2.18.4-3.el8_2.noarch.rpm
SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6
git-gui-2.18.4-3.el8_2.noarch.rpm
SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c
git-instaweb-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 829a290f3cf272dbce94ecec4f7b3f847e18e724344b6a8997261e60d11f5835
git-subtree-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 30be54ca22a9205cb96658ae146abe131a613dff6a2f7c47b045a1d62d0e2666
git-svn-2.18.4-3.el8_2.x86_64.rpm
SHA-256: 24ce18f609c27fe5040e392f545f9885e3c5ee182ed107bfc145fd4c4cb33dc7
git-svn-debuginfo-2.18.4-3.el8_2.x86_64.rpm
SHA-256: cbfabe763ed5853e70881d83c6aab22707434de23da27ac652d9e9e6fc80d865
gitk-2.18.4-3.el8_2.noarch.rpm
SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951
gitweb-2.18.4-3.el8_2.noarch.rpm
SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f
perl-Git-2.18.4-3.el8_2.noarch.rpm
SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935
perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm
SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872
Related news
Gentoo Linux Security Advisory 202312-15 - Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Versions greater than or equal to 2.39.3 are affected.
A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.
Red Hat Security Advisory 2023-1158-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.31. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 5810-4 - USN-5810-1 fixed several vulnerabilities in Git. This update provides the corresponding update for Ubuntu 14.04 ESM. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Red Hat Security Advisory 2023-0977-01 - Red Hat OpenShift Data Science 1.22.1 security update. Issues addressed include an improper authorization vulnerability.
An update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...
An update for kubeflow, dashboard, deployer is now available for Red Hat OpenShift Data Science 1.22. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0923: A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.
Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
An update is now available for Red Hat OpenShift GitOps 1.5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functio...
Red Hat Security Advisory 2023-0794-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-0633-01 - Logging Subsystem 5.5.7 - Red Hat OpenShift.
Red Hat Security Advisory 2023-0632-01 - Logging Subsystem 5.4.11 - Red Hat OpenShift.
Red Hat OpenShift Container Platform release 4.10.52 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3064: A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
Red Hat Security Advisory 2023-0627-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0628-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0599-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0596-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0609-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0610-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
An update for git is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...
An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...
An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...
An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...
An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...
An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...
An update for git is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be tri...
An update for rh-git227-git is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.g...
Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.
Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.
Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.
CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.
Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to u...
Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched i...