OESA-2023-1120
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1120
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2023-1120.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2023-1120
- Upstream
- Published
- 2023-02-24T11:04:57Z
- Modified
- 2025-08-12T05:18:11.856955Z
- Summary
- git security update
- Details
-
Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.
Security Fix(es):
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source
$GIT_DIR/objectsdirectory contains symbolic links, theobjectsdirectory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with--recurse-submodules. Instead, consider cloning repositories without recursively cloning their submodules, and instead rungit submodule updateat each layer. Before doing so, inspect each new.gitmodulesfile to ensure that it does not contain suspicious module URLs.(CVE-2023-22490)Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to
git apply, a path outside the working tree can be overwritten as the user who is runninggit apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, usegit apply --statto inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.(CVE-2023-23946) - Database specific
{ "severity": "Medium" }- References
Affected packages
openEuler:20.03-LTS-SP1 / git
Package
- Name
- git
- Purl
- pkg:rpm/openEuler/git&distro=openEuler-20.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.27.0-12.oe1
Ecosystem specific
{
"aarch64": [
"git-debugsource-2.27.0-12.oe1.aarch64.rpm",
"git-debuginfo-2.27.0-12.oe1.aarch64.rpm",
"git-daemon-2.27.0-12.oe1.aarch64.rpm",
"git-2.27.0-12.oe1.aarch64.rpm"
],
"noarch": [
"perl-Git-2.27.0-12.oe1.noarch.rpm",
"git-web-2.27.0-12.oe1.noarch.rpm",
"gitk-2.27.0-12.oe1.noarch.rpm",
"git-email-2.27.0-12.oe1.noarch.rpm",
"git-gui-2.27.0-12.oe1.noarch.rpm",
"git-help-2.27.0-12.oe1.noarch.rpm",
"git-svn-2.27.0-12.oe1.noarch.rpm",
"perl-Git-SVN-2.27.0-12.oe1.noarch.rpm"
],
"x86_64": [
"git-debuginfo-2.27.0-12.oe1.x86_64.rpm",
"git-daemon-2.27.0-12.oe1.x86_64.rpm",
"git-debugsource-2.27.0-12.oe1.x86_64.rpm",
"git-2.27.0-12.oe1.x86_64.rpm"
],
"src": [
"git-2.27.0-12.oe1.src.rpm"
]
}
openEuler:20.03-LTS-SP3 / git
Package
- Name
- git
- Purl
- pkg:rpm/openEuler/git&distro=openEuler-20.03-LTS-SP3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.27.0-15.oe1
Ecosystem specific
{
"aarch64": [
"git-2.27.0-15.oe1.aarch64.rpm",
"git-debugsource-2.27.0-15.oe1.aarch64.rpm",
"git-debuginfo-2.27.0-15.oe1.aarch64.rpm",
"git-daemon-2.27.0-15.oe1.aarch64.rpm"
],
"noarch": [
"git-svn-2.27.0-15.oe1.noarch.rpm",
"gitk-2.27.0-15.oe1.noarch.rpm",
"git-help-2.27.0-15.oe1.noarch.rpm",
"git-gui-2.27.0-15.oe1.noarch.rpm",
"git-email-2.27.0-15.oe1.noarch.rpm",
"git-web-2.27.0-15.oe1.noarch.rpm",
"perl-Git-SVN-2.27.0-15.oe1.noarch.rpm",
"perl-Git-2.27.0-15.oe1.noarch.rpm"
],
"x86_64": [
"git-daemon-2.27.0-15.oe1.x86_64.rpm",
"git-debuginfo-2.27.0-15.oe1.x86_64.rpm",
"git-debugsource-2.27.0-15.oe1.x86_64.rpm",
"git-2.27.0-15.oe1.x86_64.rpm"
],
"src": [
"git-2.27.0-15.oe1.src.rpm"
]
}
openEuler:22.03-LTS / git
Package
- Name
- git
- Purl
- pkg:rpm/openEuler/git&distro=openEuler-22.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.33.0-9.oe2203sp1
Ecosystem specific
{
"aarch64": [
"git-2.33.0-8.oe2203.aarch64.rpm",
"git-daemon-2.33.0-8.oe2203.aarch64.rpm",
"git-debuginfo-2.33.0-8.oe2203.aarch64.rpm",
"git-debugsource-2.33.0-8.oe2203.aarch64.rpm",
"git-debuginfo-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-daemon-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-core-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-debugsource-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-2.33.0-9.oe2203sp1.aarch64.rpm"
],
"noarch": [
"perl-Git-2.33.0-8.oe2203.noarch.rpm",
"git-gui-2.33.0-8.oe2203.noarch.rpm",
"git-svn-2.33.0-8.oe2203.noarch.rpm",
"perl-Git-SVN-2.33.0-8.oe2203.noarch.rpm",
"gitk-2.33.0-8.oe2203.noarch.rpm",
"git-help-2.33.0-8.oe2203.noarch.rpm",
"git-web-2.33.0-8.oe2203.noarch.rpm",
"git-email-2.33.0-8.oe2203.noarch.rpm",
"git-help-2.33.0-9.oe2203sp1.noarch.rpm",
"gitk-2.33.0-9.oe2203sp1.noarch.rpm",
"git-gui-2.33.0-9.oe2203sp1.noarch.rpm",
"perl-Git-2.33.0-9.oe2203sp1.noarch.rpm",
"git-email-2.33.0-9.oe2203sp1.noarch.rpm",
"git-svn-2.33.0-9.oe2203sp1.noarch.rpm",
"git-web-2.33.0-9.oe2203sp1.noarch.rpm",
"perl-Git-SVN-2.33.0-9.oe2203sp1.noarch.rpm"
],
"x86_64": [
"git-debuginfo-2.33.0-8.oe2203.x86_64.rpm",
"git-debugsource-2.33.0-8.oe2203.x86_64.rpm",
"git-daemon-2.33.0-8.oe2203.x86_64.rpm",
"git-2.33.0-8.oe2203.x86_64.rpm",
"git-daemon-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-core-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-debuginfo-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-debugsource-2.33.0-9.oe2203sp1.x86_64.rpm"
],
"src": [
"git-2.33.0-8.oe2203.src.rpm",
"git-2.33.0-9.oe2203sp1.src.rpm"
]
}
openEuler:22.03-LTS-SP1 / git
Package
- Name
- git
- Purl
- pkg:rpm/openEuler/git&distro=openEuler-22.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.33.0-9.oe2203sp1
Ecosystem specific
{
"aarch64": [
"git-debuginfo-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-daemon-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-core-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-debugsource-2.33.0-9.oe2203sp1.aarch64.rpm",
"git-2.33.0-9.oe2203sp1.aarch64.rpm"
],
"noarch": [
"git-help-2.33.0-9.oe2203sp1.noarch.rpm",
"gitk-2.33.0-9.oe2203sp1.noarch.rpm",
"git-gui-2.33.0-9.oe2203sp1.noarch.rpm",
"perl-Git-2.33.0-9.oe2203sp1.noarch.rpm",
"git-email-2.33.0-9.oe2203sp1.noarch.rpm",
"git-svn-2.33.0-9.oe2203sp1.noarch.rpm",
"git-web-2.33.0-9.oe2203sp1.noarch.rpm",
"perl-Git-SVN-2.33.0-9.oe2203sp1.noarch.rpm"
],
"x86_64": [
"git-daemon-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-core-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-debuginfo-2.33.0-9.oe2203sp1.x86_64.rpm",
"git-debugsource-2.33.0-9.oe2203sp1.x86_64.rpm"
],
"src": [
"git-2.33.0-9.oe2203sp1.src.rpm"
]
}