FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

git -- Multiple vulnerabilities

Affected packages
git < 2.38.1
git-lite < 2.38.1
git-tiny < 2.38.1


VuXML ID 2523bc76-4f01-11ed-929b-002590f2a714
Discovery 2022-06-09
Entry 2022-10-18

This release contains 2 security fixes:


When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory. Additionally, the value of `protocol.file.allow` is changed to be "user" by default.


An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB.


CVE Name CVE-2022-39253
CVE Name CVE-2022-39260