Skip to content

x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-23946 #1563

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Feb 14, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-23946 #1563

GoVulnBot opened this issue Feb 14, 2023 · 1 comment
Assignees
@timothy-king
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-23946 references github.com/git/git, which may be a Go module.

Description:
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/git/git
    packages:
      - package: git
description: |
    Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
cves:
  - CVE-2023-23946
references:
  - fix: https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
  - web: https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
@timothy-king timothy-king self-assigned this Feb 14, 2023
@timothy-king timothy-king added NeedsTriage excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed NeedsTriage labels Feb 14, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/468595 mentions this issue: data/excluded: batch add GO-2023-1565, GO-2023-1564, GO-2023-1563, GO-2023-1562

This was referenced Apr 25, 2023
Closed
Closed
This was referenced Nov 8, 2023
Closed
Closed
Closed
Closed
Closed
This was referenced May 14, 2024
Closed
Closed
Closed
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@timothy-king timothy-king

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothy-king @gopherbot @GoVulnBot