Advisory ROSA-SA-2023-2292

Software: git 2.39.3
OS: ROSA Virtualization 2.1

package_evr_string: git-2.39.3-1.rv3

CVE-ID: CVE-2022-39253
BDU-ID: 2023-06647
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the Git for Windows distributed version control system is related to a lack of service data protection. Exploitation of the vulnerability could allow an attacker to gain access to sensitive information.
CVE-STATUS: Fixed
CVE-REV: To close, run yum update git command

CVE-ID: CVE-2022-39260
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that parses command arguments into an array incorrectly uses int to represent the number of entries in the array, allowing an attacker to intentionally overflow the return value, resulting in an arbitrary heap entry. Since the resulting array is then passed to execv(), it is possible to use this attack to remotely execute code on the victim machine. Note that the victim must first allow access to “gitshell” as the login shell to be vulnerable to this attack.
CVE-STATUS: Fixed
CVE-REV: Run the yum update git command to close it

CVE-ID: CVE-2023-22490
BDU-ID: 2023-01602
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the Git distributed version control system involves insecure handling of symbolic links when using local cloning optimization, Git aborts local clones whose source directory $GIT_DIR/objects contains symbolic links, but the object directory itself may still be a symbolic link. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive information
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update git command

CVE-ID: CVE-2023-23946
BDU-ID: 2023-01603
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the Git distributed version control system is related to the input of processed input data - a path outside the working tree could be overwritten by a user running “git apply”. Exploitation of the vulnerability could allow an attacker acting remotely to overwrite arbitrary files on the system
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update git command

CVE-ID: CVE-2023-25652
BDU-ID: 2023-03859
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the Git distributed version control system is related to flaws in the directory path name restriction. Exploitation of the vulnerability allows an attacker acting remotely to impact data integrity using a specially crafted command
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update git command

CVE-ID: CVE-2023-29007
BDU-ID: 2023-02908
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the git_config_copy_or_rename_section_in_file function of the config.c file of the Git distributed version control system is related to insufficient neutralization of special elements in the request. Exploitation of the vulnerability could allow an attacker, to execute arbitrary code
CVE-STATUS: Fixed
CVE-REV: Execute yum update git command to close.