CVE-2023-25652 Information

Description

Git is a revision control system. Prior to versions 2.30.9 2.31.8 2.32.7 2.33.8 2.34.8 2.35.8 2.36.6 2.37.7 2.38.5 2.39.3 and 2.40.1 by feeding specially crafted input to git apply --reject a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9 2.31.8 2.32.7 2.33.8 2.34.8 2.35.8 2.36.6 2.37.7 2.38.5 2.39.3 and 2.40.1. As a workaround avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the .rej file exists.

Reference

https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902 http://www.openwall.com/lists/oss-security/2023/04/25/2