UBUNTU-CVE-2023-29007

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2023-29007

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-29007.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-29007

Related

Published

2023-04-25T17:00:00Z

Modified

2023-04-25T17:00:00Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

References

Affected packages

Ubuntu:Pro:16.04:LTS / git

Package

Name: git
Purl: pkg:deb/ubuntu/git@1:2.7.4-0ubuntu1.10+esm7?arch=src?distro=esm-infra/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.7.4-0ubuntu1.10+esm7

Affected versions

1:2.*

1:2.5.0-1

1:2.6.2-1

1:2.6.3-1

1:2.6.4-1

1:2.7.0~rc3-1

1:2.7.0-1

1:2.7.3-0ubuntu1

1:2.7.4-0ubuntu1

1:2.7.4-0ubuntu1.1

1:2.7.4-0ubuntu1.2

1:2.7.4-0ubuntu1.3

1:2.7.4-0ubuntu1.4

1:2.7.4-0ubuntu1.5

1:2.7.4-0ubuntu1.6

1:2.7.4-0ubuntu1.7

1:2.7.4-0ubuntu1.8

1:2.7.4-0ubuntu1.9

1:2.7.4-0ubuntu1.10

1:2.7.4-0ubuntu1.10+esm1

1:2.7.4-0ubuntu1.10+esm3

1:2.7.4-0ubuntu1.10+esm4

1:2.7.4-0ubuntu1.10+esm5

1:2.7.4-0ubuntu1.10+esm6

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "git-core": "1:2.7.4-0ubuntu1.10+esm7",
            "git-daemon-run": "1:2.7.4-0ubuntu1.10+esm7",
            "git-email": "1:2.7.4-0ubuntu1.10+esm7",
            "git-mediawiki": "1:2.7.4-0ubuntu1.10+esm7",
            "git": "1:2.7.4-0ubuntu1.10+esm7",
            "git-el": "1:2.7.4-0ubuntu1.10+esm7",
            "git-cvs": "1:2.7.4-0ubuntu1.10+esm7",
            "git-doc": "1:2.7.4-0ubuntu1.10+esm7",
            "gitk": "1:2.7.4-0ubuntu1.10+esm7",
            "git-arch": "1:2.7.4-0ubuntu1.10+esm7",
            "git-daemon-sysvinit": "1:2.7.4-0ubuntu1.10+esm7",
            "git-svn": "1:2.7.4-0ubuntu1.10+esm7",
            "git-gui": "1:2.7.4-0ubuntu1.10+esm7",
            "git-man": "1:2.7.4-0ubuntu1.10+esm7",
            "gitweb": "1:2.7.4-0ubuntu1.10+esm7",
            "git-all": "1:2.7.4-0ubuntu1.10+esm7"
        }
    ]
}

Ubuntu:18.04:LTS / git

Package

Name: git
Purl: pkg:deb/ubuntu/git@1:2.17.1-1ubuntu0.18?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.17.1-1ubuntu0.18

Affected versions

1:2.*

1:2.14.1-1ubuntu4

1:2.15.1-1ubuntu2

1:2.17.0-1ubuntu1

1:2.17.1-1ubuntu0.1

1:2.17.1-1ubuntu0.3

1:2.17.1-1ubuntu0.4

1:2.17.1-1ubuntu0.5

1:2.17.1-1ubuntu0.6

1:2.17.1-1ubuntu0.7

1:2.17.1-1ubuntu0.8

1:2.17.1-1ubuntu0.9

1:2.17.1-1ubuntu0.10

1:2.17.1-1ubuntu0.11

1:2.17.1-1ubuntu0.12

1:2.17.1-1ubuntu0.13

1:2.17.1-1ubuntu0.14

1:2.17.1-1ubuntu0.15

1:2.17.1-1ubuntu0.16

1:2.17.1-1ubuntu0.17

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "git-daemon-run": "1:2.17.1-1ubuntu0.18",
            "git-email": "1:2.17.1-1ubuntu0.18",
            "git-mediawiki": "1:2.17.1-1ubuntu0.18",
            "git": "1:2.17.1-1ubuntu0.18",
            "git-el": "1:2.17.1-1ubuntu0.18",
            "git-cvs": "1:2.17.1-1ubuntu0.18",
            "git-doc": "1:2.17.1-1ubuntu0.18",
            "gitk": "1:2.17.1-1ubuntu0.18",
            "git-dbgsym": "1:2.17.1-1ubuntu0.18",
            "git-daemon-sysvinit": "1:2.17.1-1ubuntu0.18",
            "git-svn": "1:2.17.1-1ubuntu0.18",
            "git-gui": "1:2.17.1-1ubuntu0.18",
            "git-man": "1:2.17.1-1ubuntu0.18",
            "gitweb": "1:2.17.1-1ubuntu0.18",
            "git-all": "1:2.17.1-1ubuntu0.18"
        }
    ]
}

Ubuntu:20.04:LTS / git

Package

Name: git
Purl: pkg:deb/ubuntu/git@1:2.25.1-1ubuntu3.11?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.25.1-1ubuntu3.11

Affected versions

1:2.*

1:2.20.1-2ubuntu1

1:2.24.0-1ubuntu1

1:2.24.0-1ubuntu2

1:2.25.0-1ubuntu1

1:2.25.1-1ubuntu1

1:2.25.1-1ubuntu2

1:2.25.1-1ubuntu3

1:2.25.1-1ubuntu3.1

1:2.25.1-1ubuntu3.2

1:2.25.1-1ubuntu3.3

1:2.25.1-1ubuntu3.4

1:2.25.1-1ubuntu3.5

1:2.25.1-1ubuntu3.6

1:2.25.1-1ubuntu3.7

1:2.25.1-1ubuntu3.8

1:2.25.1-1ubuntu3.10

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "git-daemon-run": "1:2.25.1-1ubuntu3.11",
            "git-email": "1:2.25.1-1ubuntu3.11",
            "git-mediawiki": "1:2.25.1-1ubuntu3.11",
            "git": "1:2.25.1-1ubuntu3.11",
            "git-el": "1:2.25.1-1ubuntu3.11",
            "git-cvs": "1:2.25.1-1ubuntu3.11",
            "git-doc": "1:2.25.1-1ubuntu3.11",
            "gitk": "1:2.25.1-1ubuntu3.11",
            "git-dbgsym": "1:2.25.1-1ubuntu3.11",
            "git-daemon-sysvinit": "1:2.25.1-1ubuntu3.11",
            "git-svn": "1:2.25.1-1ubuntu3.11",
            "git-gui": "1:2.25.1-1ubuntu3.11",
            "git-man": "1:2.25.1-1ubuntu3.11",
            "gitweb": "1:2.25.1-1ubuntu3.11",
            "git-all": "1:2.25.1-1ubuntu3.11"
        }
    ]
}

Ubuntu:22.04:LTS / git

Package

Name: git
Purl: pkg:deb/ubuntu/git@1:2.34.1-1ubuntu1.9?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.34.1-1ubuntu1.9

Affected versions

1:2.*

1:2.32.0-1ubuntu1

1:2.33.1-1ubuntu1

1:2.34.1-1ubuntu1

1:2.34.1-1ubuntu1.1

1:2.34.1-1ubuntu1.2

1:2.34.1-1ubuntu1.4

1:2.34.1-1ubuntu1.5

1:2.34.1-1ubuntu1.6

1:2.34.1-1ubuntu1.8

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "git-daemon-run": "1:2.34.1-1ubuntu1.9",
            "git-email": "1:2.34.1-1ubuntu1.9",
            "git-mediawiki": "1:2.34.1-1ubuntu1.9",
            "git": "1:2.34.1-1ubuntu1.9",
            "gitk": "1:2.34.1-1ubuntu1.9",
            "git-cvs": "1:2.34.1-1ubuntu1.9",
            "git-doc": "1:2.34.1-1ubuntu1.9",
            "git-dbgsym": "1:2.34.1-1ubuntu1.9",
            "git-daemon-sysvinit": "1:2.34.1-1ubuntu1.9",
            "git-svn": "1:2.34.1-1ubuntu1.9",
            "git-gui": "1:2.34.1-1ubuntu1.9",
            "git-man": "1:2.34.1-1ubuntu1.9",
            "gitweb": "1:2.34.1-1ubuntu1.9",
            "git-all": "1:2.34.1-1ubuntu1.9"
        }
    ]
}