Bug#1055853: jgit: CVE-2023-4759
Moritz Mühlenhoff
jmm at inutil.org
Sun Nov 12 18:59:51 GMT 2023
Source: jgit
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jgit.
CVE-2023-4759[0]:
| Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit,
| all versions <= 6.6.0.202305301015-r, a symbolic link present in a
| specially crafted git repository can be used to write a file to
| locations outside the working tree when this repository is cloned
| with JGit to a case-insensitive filesystem, or when a checkout from
| a clone of such a repository is performed on a case-insensitive
| filesystem. This can happen on checkout (DirCacheCheckout), merge
| (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using
| merge), and when applying a patch (PatchApplier). This can be
| exploited for remote code execution (RCE), for instance if the file
| written outside the working tree is a git filter that gets executed
| on a subsequent git command. The issue occurs only on case-
| insensitive filesystems, like the default filesystems on Windows and
| macOS. The user performing the clone or checkout must have the
| rights to create symbolic links for the problem to occur, and
| symbolic links must be enabled in the git configuration. Setting
| git configuration option core.symlinks = false before checking out
| avoids the problem. The issue was fixed in Eclipse JGit version
| 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven
| Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and
| repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-
| releases/ . The JGit maintainers would like to thank RyotaK for
| finding and reporting this issue.
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 (v6.6.1.202309021850-r)
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4759
https://www.cve.org/CVERecord?id=CVE-2023-4759
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list