Lucene search

K
rosalinuxROSA LABROSA-SA-2023-2176
HistoryJun 27, 2023 - 9:16 a.m.

Advisory ROSA-SA-2023-2176

2023-06-2709:16:21
ROSA LAB
abf.rosalinux.ru
16
git
rosa-sa-2023-2176
medium vulnerability
high vulnerability
patch
os: rosa-server79
cve-2023-25652
cve-2023-29007
git apply
git_config_copy_or_rename_section_in_file
yum update

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.3%

Software: git 1.8.3.1
OS: rosa-server79

package_evr_string: git-1.8.3.1-25.res7

CVE-ID: CVE-2023-25652
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: Up to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1 by submitting specially crafted input for git apply --reject, the path outside the working tree can be overwritten with partially controlled content (corresponding to rejected fragments from this patch). The fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. . As a workaround, avoid using git apply' with --reject’ when applying patches from an unreliable source. Use git apply --stat to test a patch before applying it; avoid applying those that create a conflict when there is a link corresponding to the *.rej file.
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update git command

CVE-ID: CVE-2023-29007
BDU-ID: 2023-02908
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the git_config_copy_or_rename_section_in_file function of the config.c file of the Git distributed version control system is related to insufficient neutralization of special elements in the request. Exploitation of the vulnerability could allow an attacker, to execute arbitrary code
CVE-STATUS: Fixed
CVE-REV: Execute yum update git command to close.

OSVersionArchitecturePackageVersionFilename
rosaanynoarchgit< 1.8.3.1UNKNOWN

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.3%