"git apply" overwriting paths outside the working tree
Package
No package listed
Affected versions
<= v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, v2.30.7
Patched versions
>= v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, v2.30.8
Impact
By feeding specially crafted input to
git apply
, a path outside the working tree can be overwritten as the user who is runninggit apply
.Patches
A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8.
Workarounds
Use
git apply --stat
to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.Credits
Credit for finding the vulnerability goes to Joern Schneeweisz of GitLab. The patch was authored by Patrick Steinhardt of GitLab.