Skip to content

"git apply" overwriting paths outside the working tree

High
ttaylorr published GHSA-r87m-v37r-cwfh Feb 14, 2023

Package

No package listed

Affected versions

<= v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, v2.30.7

Patched versions

>= v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, v2.30.8

Description

Impact

By feeding specially crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply.

Patches

A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8.

Workarounds

Use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

Credits

Credit for finding the vulnerability goes to Joern Schneeweisz of GitLab. The patch was authored by Patrick Steinhardt of GitLab.

Severity

High

CVE ID

CVE-2023-23946

Weaknesses

No CWEs

Credits