CVE-2023-29007 Information

Description

Git is a revision control system. Prior to versions 2.30.9 2.31.8 2.32.7 2.33.8 2.34.8 2.35.8 2.36.6 2.37.7 2.38.5 2.39.3 and 2.40.1 a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user’s $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager core.editor core.sshCommand etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9 2.31.8 2.32.7 2.33.8 2.34.8 2.35.8 2.36.6 2.37.7 2.38.5 2.39.3 and 2.40.1. As a workaround avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Reference

https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844 https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4 https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt