TencentOS Server 2: git (TSSA-2023:0069)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2023:0069.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239494);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id("CVE-2023-25652", "CVE-2023-29007");

  script_name(english:"TencentOS Server 2: git (TSSA-2023:0069)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 2 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 2 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0069 advisory.

    Package updates are available for TencentOS Server 2 that fix the following vulnerabilities:

      CVE-2023-25652:
      Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8,
    2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a
    path outside the working tree can be overwritten with partially controlled contents (corresponding to the
    rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
    2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with
    `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch
    before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file
    exists.
      CVE-2023-29007:
      Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8,
    2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs
    that are longer than 1024 characters can used to exploit a bug in
    `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary
    configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section
    associated with that submodule. When the attacker injects configuration values which specify executables
    to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
    execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6,
    2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted
    repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20230069.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-25652");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-29007");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/06/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:git");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^2([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 2.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '2',
    'pkgs': [
      {'reference':'emacs-git-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'emacs-git-el-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-1.8.3.1-25.tl2', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-1.8.3.1-25.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-all-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-bzr-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-cvs-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-daemon-1.8.3.1-25.tl2', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-daemon-1.8.3.1-25.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-debuginfo-1.8.3.1-25.tl2', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-debuginfo-1.8.3.1-25.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-email-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-gnome-keyring-1.8.3.1-25.tl2', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-gnome-keyring-1.8.3.1-25.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-gui-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-hg-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-instaweb-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-p4-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-svn-1.8.3.1-25.tl2', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'git-svn-1.8.3.1-25.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gitk-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gitweb-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'perl-Git-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'perl-Git-SVN-1.8.3.1-25.tl2', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'emacs-git / emacs-git-el / git / etc');
}