CVE-2023-29007

NameCVE-2023-29007
DescriptionGit is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3844-1, DLA-3867-1, DSA-5769-1, ELA-1155-1
Debian Bugs1034835

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)jessie, jessie (lts)1:2.1.4-2.1+deb8u14fixed
stretch (security)1:2.11.0-3+deb9u7vulnerable
stretch (lts), stretch1:2.11.0-3+deb9u11fixed
buster (security), buster, buster (lts)1:2.20.1-2+deb10u9fixed
bullseye1:2.30.2-1+deb11u2vulnerable
bullseye (security)1:2.30.2-1+deb11u3fixed
bookworm (security), bookworm1:2.39.5-0+deb12u1fixed
trixie1:2.45.2-1fixed
sid1:2.45.2-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsourcejessie1:2.1.4-2.1+deb8u14ELA-1155-1
gitsourcestretch1:2.11.0-3+deb9u11ELA-1155-1
gitsourcebuster1:2.20.1-2+deb10u9DLA-3844-1
gitsourcebullseye1:2.30.2-1+deb11u3DLA-3867-1
gitsourcebookworm1:2.39.5-0+deb12u1DSA-5769-1
gitsource(unstable)1:2.40.1-11034835

Notes

https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8 (v2.30.9)
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a (v2.30.9)
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d (v2.30.9)
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a (v2.30.9)

Search for package or bug name: Reporting problems