{"id":"MGASA-2023-0066","summary":"Updated git packages fix security vulnerability","details":"Using a specially-crafted repository, Git can be tricked into using its local\nclone optimization even when using a non-local transport. Though Git will\nabort local clones whose source $GIT_DIR/objects directory contains symbolic\nlinks, the objects directory itself may still be a symbolic link. These two\nmay be combined to include arbitrary files based on known paths on the\nvictim's filesystem within the malicious repository's working copy, allowing\nfor data exfiltration in a similar manner as CVE-2022-39253 (CVE-2023-22490).\n\nBy feeding a crafted input to \"git apply\", a path outside the working tree can\nbe overwritten as the user who is running \"git apply\" (CVE-2023-23946).\n","modified":"2026-04-16T04:40:50.950900981Z","published":"2023-02-27T20:27:16Z","upstream":["CVE-2023-22490","CVE-2023-23946"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0066.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31553"},{"type":"WEB","url":"https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.30.8.txt"},{"type":"WEB","url":"https://lore.kernel.org/git/004a01d940a4$289e56a0$79db03e0$@nexbridge.com/T/"}],"affected":[{"package":{"name":"git","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/git?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.30.8-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0066.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}