A brace of Git vulnerabilities revealed this week prompted a patch release of the code management tool, and some hasty updates of other platforms that rely on it.
The bugs in question were uncovered by GitHub, which gave them “high” severity ratings while it awaits official ratings from NIST. GitHub also disclosed three vulnerabilities in Git for Windows, two of which were also rated severe.
The Git project pushed out a maintenance release addressing the bugs, v2.40.1, as well as releases for ten older maintenance track versions. The full details are here. GitHub encouraged users to “upgrade immediately”.
CVE-2023-25652 could be used to perform controlled content writes at arbitrary paths with git apply --reject. The bug came about as a result of an incomplete fix for an earlier bug. As a result, according to GitHub, specially crafted malicious patches can perform controlled content writes at arbitrary locations.
CVE-2023-29007, according to GitHub, is down to a logic error that resulted in improperly treating configuration values longer than a fixed length as containing new sections. It could be used to inject arbitrary configuration settings, which may in turn be used to achieve arbitrary code execution.
As for Git for Windows, CVE-2023-29011 makes the connect.exe executable in Git for Windows susceptible to malicious files being placed there by other users on the same multi-user machine.
CVE-2023-29012 affects the Git for Windows CMD program and, when started in untrusted directories, could lead to silent arbitrary code execution.
A third bug, CVE-2023-25815, allowed for malicious placement of crafted messages but was rated low. This was addressed by the Git update.