{"id":"MGASA-2023-0163","summary":"Updated git packages fix security vulnerability","details":"By feeding specially crafted input to 'git apply --reject', a path outside\nthe working tree can be overwritten with partially controlled contents\ncorresponding to the rejected hunk(s) from the given patch.\n(CVE-2023-25652).\n\nWhen Git is compiled with runtime prefix support and runs without\ntranslated messages, it still used the gettext machinery to display\nmessages, which subsequently potentially looked for translated messages in\nunexpected places. This allowed for malicious placement of crafted messages\n(CVE-2023-25815).\n\nWhen renaming or deleting a section from a configuration file, certain\nmalicious configuration values may be misinterpreted as the beginning of a\nnew configuration section, leading to arbitrary configuration injection\n(CVE-2023-29007).\n","modified":"2026-04-16T00:11:42.353199835Z","published":"2023-05-06T18:19:07Z","upstream":["CVE-2023-25652","CVE-2023-25815","CVE-2023-29007"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0163.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31856"},{"type":"WEB","url":"https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.30.9.txt"},{"type":"WEB","url":"https://lore.kernel.org/git/xmqqa5yv3n93.fsf@gitster.g/T/"}],"affected":[{"package":{"name":"git","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/git?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.30.9-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0163.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}