Source: jgit X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for jgit. CVE-2023-4759[0]: | Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, | all versions <= 6.6.0.202305301015-r, a symbolic link present in a | specially crafted git repository can be used to write a file to | locations outside the working tree when this repository is cloned | with JGit to a case-insensitive filesystem, or when a checkout from | a clone of such a repository is performed on a case-insensitive | filesystem. This can happen on checkout (DirCacheCheckout), merge | (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using | merge), and when applying a patch (PatchApplier). This can be | exploited for remote code execution (RCE), for instance if the file | written outside the working tree is a git filter that gets executed | on a subsequent git command. The issue occurs only on case- | insensitive filesystems, like the default filesystems on Windows and | macOS. The user performing the clone or checkout must have the | rights to create symbolic links for the problem to occur, and | symbolic links must be enabled in the git configuration. Setting | git configuration option core.symlinks = false before checking out | avoids the problem. The issue was fixed in Eclipse JGit version | 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven | Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and | repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit- | releases/ . The JGit maintainers would like to thank RyotaK for | finding and reporting this issue. https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 (v6.6.1.202309021850-r) https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4759 https://www.cve.org/CVERecord?id=CVE-2023-4759 Please adjust the affected versions in the BTS as needed.