[Announce] Git 2.39.2 and friends

From: Junio C Hamano
Date: Tue Feb 14 2023 - 13:05:14 EST


A maintenance release Git v2.39.2, together with releases for older
maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7,
v2.33.7, v2.32.6, v2.31.7, and v2.30.8, are now available at the
usual places.

These maintenance releases are to address two security issues
identified as CVE-2023-22490 and CVE-2023-23946. They both affect
ranges of existing versions and users are strongly encouraged to
upgrade.

The tarballs are found at:

https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.39.2'
tag, as well as the tags for older maintenance tracks listed above.

url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git

The addressed issues are:

* CVE-2023-22490:

Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.

These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.

* CVE-2023-23946:

By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".

Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
developed by Taylor Blau, with additional help from others on the
Git security mailing list.

Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
fix was developed by Patrick Steinhardt.

Johannes Schindelin helped greatly in packaging the whole thing and
proofreading the result.

Thanks.