x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-29007 #1741
Description
CVE-2023-29007 references github.com/git/git, which may be a Go module.
Description:
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-29007
- JSON: https://github.com/CVEProject/cvelist/tree/a069abb2bf27ff93d2b2ef6ceea090deed9b84c7/2023/29xxx/CVE-2023-29007.json
- advisory: GHSA-v48j-4xgg-4844
- fix: git/git@528290f
- web: https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
- Imported by: https://pkg.go.dev/github.com/git/git?tab=importedby
Cross references:
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-29187 #513 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39253 #1068 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39260 #1069 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-23521 #1499 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-41903 #1500 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-22490 #1562 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-23946 #1563 NOT_GO_CODE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/git/git
packages:
- package: git
description: |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.
cves:
- CVE-2023-29007
references:
- advisory: https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
- fix: https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
- web: https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt