On Tuesday, February 14, 2023 at 2:06:17 p.m. UTC-5, Randall wrote:
On Tuesday, February 14, 2023 at 1:40:51 p.m. UTC-5, Randall wrote:
A git fix release has just been released. ITUGLIB is currently running through a built/test cycle. I will post an update when ready. The following CVEs are corrected by to this fix release:
* CVE-2023-22490:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.
* CVE-2023-23946:
By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply".
I should point out that this fix set also applies to prior versions. If you need a prior version of git, please post the request. I cannot guarantee that we can do it, but will try.
For you git build/test fans, t1450 fails on 2.39.x, but this in the test infrastructure, not in git itself. So nothing to worry about. Same as t1800 and t9001. The release is being deployed.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)