FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-09-07 14:16:01 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
21f12de8-b1db-11ed-b0f4-002590f2a714	git -- "git apply" overwriting paths outside the working tree git team reports: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". Discovery 2023-02-14 Entry 2023-02-21 git < 2.39.2 CVE-2023-23946 https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-23946
d2c6173f-e43b-11ed-a1d7-002590f2a714	git -- Multiple vulnerabilities git developers reports: This update includes 2 security fixes: CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch) CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on Discovery 2023-04-25 Entry 2023-04-26 git < 2.40.1 git-lite < 2.40.1 git-tiny < 2.40.1 CVE-2023-25652 https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx CVE-2023-29007 https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
9548d6ed-b1da-11ed-b0f4-002590f2a714	git -- Local clone-based data exfiltration with non-local transports git team reports: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. Discovery 2023-02-14 Entry 2023-02-21 git < 2.39.2 CVE-2023-22490 https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-22490

VuXML ID

Description

21f12de8-b1db-11ed-b0f4-002590f2a714

git -- "git apply" overwriting paths outside the working tree

git team reports:

By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply".

Discovery 2023-02-14
Entry 2023-02-21
git

< 2.39.2

CVE-2023-23946
https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-23946

d2c6173f-e43b-11ed-a1d7-002590f2a714

git -- Multiple vulnerabilities

git developers reports:

This update includes 2 security fixes:

CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)

CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on

Discovery 2023-04-25
Entry 2023-04-26
git

< 2.40.1

git-lite

< 2.40.1

git-tiny

< 2.40.1

CVE-2023-25652
https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
CVE-2023-29007
https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844

9548d6ed-b1da-11ed-b0f4-002590f2a714

git -- Local clone-based data exfiltration with non-local transports

git team reports:

Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.

These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

Discovery 2023-02-14
Entry 2023-02-21
git

< 2.39.2

CVE-2023-22490
https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-22490