Makefile: Upgrade Git to security release v2.40.1.gl1 and v2.39.3 (!5707) · Merge requests · GitLab.org / gitaly

Christian Couder requested to merge cc-git-v2.40.1 into master Apr 28, 2023

Upgrade our Git version to v2.40.1.gl1 and v2.39.3, which pulls in the security releases Git v2.40.1 and v2.39.3 that addresses the following CVEs:

CVE-2023-25652:

By feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).

CVE-2023-25815:

When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.

CVE-2023-29007:

When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.

Even though GitLab isn't affected by the above CVEs, it is nice to stay up-to-date with upstream.

Makefile: Upgrade Git to security release v2.40.1.gl1 and v2.39.3

Merge request reports