Amazon Linux 2 Security Advisory: ALAS-2023-1984
Advisory Release Date: 2023-03-02 22:36 Pacific
Advisory Updated Date: 2023-03-07 00:21 Pacific
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs. (CVE-2023-22490)
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. (CVE-2023-23946)
Affected Packages:
git
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update git to update your system.
aarch64:
git-2.39.2-1.amzn2.0.1.aarch64
git-core-2.39.2-1.amzn2.0.1.aarch64
git-credential-libsecret-2.39.2-1.amzn2.0.1.aarch64
git-daemon-2.39.2-1.amzn2.0.1.aarch64
git-debuginfo-2.39.2-1.amzn2.0.1.aarch64
i686:
git-2.39.2-1.amzn2.0.1.i686
git-core-2.39.2-1.amzn2.0.1.i686
git-credential-libsecret-2.39.2-1.amzn2.0.1.i686
git-daemon-2.39.2-1.amzn2.0.1.i686
git-debuginfo-2.39.2-1.amzn2.0.1.i686
noarch:
git-all-2.39.2-1.amzn2.0.1.noarch
git-core-doc-2.39.2-1.amzn2.0.1.noarch
git-cvs-2.39.2-1.amzn2.0.1.noarch
git-email-2.39.2-1.amzn2.0.1.noarch
gitk-2.39.2-1.amzn2.0.1.noarch
gitweb-2.39.2-1.amzn2.0.1.noarch
git-gui-2.39.2-1.amzn2.0.1.noarch
git-instaweb-2.39.2-1.amzn2.0.1.noarch
git-p4-2.39.2-1.amzn2.0.1.noarch
perl-Git-2.39.2-1.amzn2.0.1.noarch
perl-Git-SVN-2.39.2-1.amzn2.0.1.noarch
git-subtree-2.39.2-1.amzn2.0.1.noarch
git-svn-2.39.2-1.amzn2.0.1.noarch
src:
git-2.39.2-1.amzn2.0.1.src
x86_64:
git-2.39.2-1.amzn2.0.1.x86_64
git-core-2.39.2-1.amzn2.0.1.x86_64
git-credential-libsecret-2.39.2-1.amzn2.0.1.x86_64
git-daemon-2.39.2-1.amzn2.0.1.x86_64
git-debuginfo-2.39.2-1.amzn2.0.1.x86_64