Git is a widely used revision control system that allows developers to track changes in their code and collaborate on projects. However, a newly discovered vulnerability, identified as CVE-2023-25652, potentially exposes affected Git installations to path traversal and arbitrary file overwrite attacks.

This vulnerability affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. It is found in the git apply --reject command, which allows an attacker to overwrite a path outside the working tree with partially controlled contents by feeding specially crafted input. The overwritten content corresponds to the rejected hunk(s) from the given patch.

The following code snippet demonstrates the malicious input that could be used to exploit the vulnerability:

$ git apply --reject patchfile

patchfile contains the specially crafted input targeting a path outside the working tree.

To mitigate this vulnerability, users should update their Git installations to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1. The necessary patches can be found in the official Git repository here.

As a temporary workaround, users should avoid using the git apply command with the --reject flag when applying patches from untrusted sources. Instead, use git apply --stat to review the patch before applying it to the working tree. Do not apply a patch if it creates a conflict where a link exists corresponding to the *.rej file.

For additional context on this reported vulnerability, you may refer to the original security advisory here and the National Vulnerability Database (NVD) entry for this CVE here.

In conclusion, it is essential to update Git installations to the latest patched versions to protect against this potentially critical vulnerability. Additionally, users are advised to exercise caution when applying patches from untrusted sources and to always review the contents of a patch before applying it.

Timeline

Published on: 04/25/2023 20:15:00 UTC
Last modified on: 05/12/2023 05:15:00 UTC