Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/git-for-windows/git: CVE-2023-29011 #1742

Closed
GoVulnBot opened this issue Apr 25, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/git-for-windows/git: CVE-2023-29011 #1742

GoVulnBot opened this issue Apr 25, 2023 · 1 comment
Assignees
@zpavlinovic
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-29011 references github.com/git-for-windows/git, which may be a Go module.

Description:
Git for Windows, the Windows port of Git, ships with an executable called connect.exe, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of connect.exe's config file is hard-coded as /etc/connectrc which will typically be interpreted as C:\etc\connectrc. Since C:\etc can be created by any authenticated user, this makes connect.exe susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder etc on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious <drive>:\etc\connectrc files on multi-user machines.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/git-for-windows/git
    packages:
      - package: git
description: |
    Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of `connect.exe`'s config file is hard-coded as `/etc/connectrc` which will typically be interpreted as `C:\etc\connectrc`. Since `C:\etc` can be created by any authenticated user, this makes `connect.exe` susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder `etc` on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious `<drive>:\etc\connectrc` files on multi-user machines.
cves:
  - CVE-2023-29011
references:
  - advisory: https://github.com/git-for-windows/git/security/advisories/GHSA-g4fv-xjqw-q7jm
  - web: https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1
@zpavlinovic zpavlinovic self-assigned this Apr 26, 2023
@zpavlinovic zpavlinovic added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Apr 26, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot