Git 2.40.1 & Other Updates Due To Three New Security Vulnerabilities

Written by Michael Larabel in Free Software on 25 April 2023 at 01:56 PM EDT. 1 Comment
FREE SOFTWARE
Git 2.40.1 is out today due to three new security vulnerabilities being disclosed. Due to those security fixes there are also Git updates for prior stable series with v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9.

The three Git security vulnerabilities made public today are CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007. These vulnerabilities could lead to a path outside of the Git working tree potentially being overwritten with partially controlled contents, the possibility of malicious placement of crafted messages when Git is built without translated messages, and the third vulnerability is around arbitrary configuration injection.
* CVE-2023-25652:

By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).

* CVE-2023-25815:

When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.

* CVE-2023-29007:

When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.

Git logo


Downloads and more details on today's big set of Git updates via the release announcement.
1 Comment
Related News
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Servo Web Engine Now Passing Acid2 Layout Engine Test
Sovereign Tech Fund Makes New Investments Into GNOME & PHP, Bug Bounty For systemd
Llamafile 0.8 Releases With LLaMA3 & Grok Support, Faster F16 Performance
Nginx 1.26 Released With Experimental HTTP/3 Support
Tow-Boot 2023.07 U-Boot Distribution Released With New Board Support
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
GNOME Working To Make Key Rack A Viable Password Manager, Better Printing For Flatpaks
Ubuntu 24.04 LTS Downloads Now Available