Git 2.40.1 & Other Updates Due To Three New Security Vulnerabilities

Written by Michael Larabel in Free Software on 25 April 2023 at 01:56 PM EDT. 1 Comment
Git 2.40.1 is out today due to three new security vulnerabilities being disclosed. Due to those security fixes there are also Git updates for prior stable series with v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9.

The three Git security vulnerabilities made public today are CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007. These vulnerabilities could lead to a path outside of the Git working tree potentially being overwritten with partially controlled contents, the possibility of malicious placement of crafted messages when Git is built without translated messages, and the third vulnerability is around arbitrary configuration injection.
* CVE-2023-25652:

By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).

* CVE-2023-25815:

When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.

* CVE-2023-29007:

When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.

Git logo

Downloads and more details on today's big set of Git updates via the release announcement.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week