Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/git-for-windows/git: CVE-2023-29011 #1742

Closed
GoVulnBot opened this issue Apr 25, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/git-for-windows/git: CVE-2023-29011 #1742

GoVulnBot opened this issue Apr 25, 2023 · 1 comment
Assignees
@zpavlinovic
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-29011 references github.com/git-for-windows/git, which may be a Go module.

Description:
Git for Windows, the Windows port of Git, ships with an executable called connect.exe, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of connect.exe's config file is hard-coded as /etc/connectrc which will typically be interpreted as C:\etc\connectrc. Since C:\etc can be created by any authenticated user, this makes connect.exe susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder etc on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious <drive>:\etc\connectrc files on multi-user machines.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/git-for-windows/git
    packages:
      - package: git
description: |
    Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of `connect.exe`'s config file is hard-coded as `/etc/connectrc` which will typically be interpreted as `C:\etc\connectrc`. Since `C:\etc` can be created by any authenticated user, this makes `connect.exe` susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder `etc` on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious `<drive>:\etc\connectrc` files on multi-user machines.
cves:
  - CVE-2023-29011
references:
  - advisory: https://github.com/git-for-windows/git/security/advisories/GHSA-g4fv-xjqw-q7jm
  - web: https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1
@zpavlinovic zpavlinovic self-assigned this Apr 26, 2023
@zpavlinovic zpavlinovic added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Apr 26, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot