| Name | CVE-2023-29007 |
| Description | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3844-1, DLA-3867-1, DSA-5769-1 |
| Debian Bugs | 1034835 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| git (PTS) | bullseye | 1:2.30.2-1+deb11u2 | vulnerable |
| bullseye (security) | 1:2.30.2-1+deb11u3 | fixed | |
| bookworm, bookworm (security) | 1:2.39.5-0+deb12u1 | fixed | |
| trixie | 1:2.45.2-1 | fixed | |
| sid | 1:2.45.2-1.2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| git | source | buster | 1:2.20.1-2+deb10u9 | DLA-3844-1 | ||
| git | source | bullseye | 1:2.30.2-1+deb11u3 | DLA-3867-1 | ||
| git | source | bookworm | 1:2.39.5-0+deb12u1 | DSA-5769-1 | ||
| git | source | (unstable) | 1:2.40.1-1 | 1034835 |
https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8 (v2.30.9)
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a (v2.30.9)
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d (v2.30.9)
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a (v2.30.9)