ALAS2-2023-1984

Amazon Linux 2 Security Advisory: ALAS-2023-1984
Advisory Release Date: 2023-03-02 22:36 Pacific
Advisory Updated Date: 2023-03-07 00:21 Pacific
Severity: Medium
Issue Overview:

Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs. (CVE-2023-22490)

Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. (CVE-2023-23946)


Affected Packages:

git


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update git to update your system.

New Packages:
aarch64:
    git-2.39.2-1.amzn2.0.1.aarch64
    git-core-2.39.2-1.amzn2.0.1.aarch64
    git-credential-libsecret-2.39.2-1.amzn2.0.1.aarch64
    git-daemon-2.39.2-1.amzn2.0.1.aarch64
    git-debuginfo-2.39.2-1.amzn2.0.1.aarch64

i686:
    git-2.39.2-1.amzn2.0.1.i686
    git-core-2.39.2-1.amzn2.0.1.i686
    git-credential-libsecret-2.39.2-1.amzn2.0.1.i686
    git-daemon-2.39.2-1.amzn2.0.1.i686
    git-debuginfo-2.39.2-1.amzn2.0.1.i686

noarch:
    git-all-2.39.2-1.amzn2.0.1.noarch
    git-core-doc-2.39.2-1.amzn2.0.1.noarch
    git-cvs-2.39.2-1.amzn2.0.1.noarch
    git-email-2.39.2-1.amzn2.0.1.noarch
    gitk-2.39.2-1.amzn2.0.1.noarch
    gitweb-2.39.2-1.amzn2.0.1.noarch
    git-gui-2.39.2-1.amzn2.0.1.noarch
    git-instaweb-2.39.2-1.amzn2.0.1.noarch
    git-p4-2.39.2-1.amzn2.0.1.noarch
    perl-Git-2.39.2-1.amzn2.0.1.noarch
    perl-Git-SVN-2.39.2-1.amzn2.0.1.noarch
    git-subtree-2.39.2-1.amzn2.0.1.noarch
    git-svn-2.39.2-1.amzn2.0.1.noarch

src:
    git-2.39.2-1.amzn2.0.1.src

x86_64:
    git-2.39.2-1.amzn2.0.1.x86_64
    git-core-2.39.2-1.amzn2.0.1.x86_64
    git-credential-libsecret-2.39.2-1.amzn2.0.1.x86_64
    git-daemon-2.39.2-1.amzn2.0.1.x86_64
    git-debuginfo-2.39.2-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2023-22490, CVE-2023-23946

Mitre: CVE-2023-22490, CVE-2023-23946