Documentation/RelNotes/2.30.8.txt

   1 Git v2.30.8 Release Notes
   2 =========================
   3
   4 This release addresses the security issues CVE-2023-22490 and
   5 CVE-2023-23946.
   6
   7
   8 Fixes since v2.30.7
   9 -------------------
  10
  11  * CVE-2023-22490:
  12
  13    Using a specially-crafted repository, Git can be tricked into using
  14    its local clone optimization even when using a non-local transport.
  15    Though Git will abort local clones whose source $GIT_DIR/objects
  16    directory contains symbolic links (c.f., CVE-2022-39253), the objects
  17    directory itself may still be a symbolic link.
  18
  19    These two may be combined to include arbitrary files based on known
  20    paths on the victim's filesystem within the malicious repository's
  21    working copy, allowing for data exfiltration in a similar manner as
  22    CVE-2022-39253.
  23
  24  * CVE-2023-23946:
  25
  26    By feeding a crafted input to "git apply", a path outside the
  27    working tree can be overwritten as the user who is running "git
  28    apply".
  29
  30  * A mismatched type in `attr.c::read_attr_from_index()` which could
  31    cause Git to errantly reject attributes on Windows and 32-bit Linux
  32    has been corrected.
  33
  34 Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
  35 developed by Taylor Blau, with additional help from others on the
  36 Git security mailing list.
  37
  38 Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
  39 fix was developed by Patrick Steinhardt.
  40
  41
  42 Johannes Schindelin (1):
  43       attr: adjust a mismatched data type
  44
  45 Patrick Steinhardt (1):
  46       apply: fix writing behind newly created symbolic links
  47
  48 Taylor Blau (3):
  49       t5619: demonstrate clone_local() with ambiguous transport
  50       clone: delay picking a transport until after get_repo_path()
  51       dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS