Git 2.40.1 & Other Updates Due To Three New Security Vulnerabilities

Git 2.40.1 is out today due to three new security vulnerabilities being disclosed. Due to those security fixes there are also Git updates for prior stable series with v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9.

The three Git security vulnerabilities made public today are CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007. These vulnerabilities could lead to a path outside of the Git working tree potentially being overwritten with partially controlled contents, the possibility of malicious placement of crafted messages when Git is built without translated messages, and the third vulnerability is around arbitrary configuration injection.

* CVE-2023-25652:

By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).

* CVE-2023-25815:

When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.

* CVE-2023-29007:

When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.

Downloads and more details on today's big set of Git updates via the release announcement.