Bug 2188337 (CVE-2023-25815)
| Summary: | CVE-2023-25815 git: malicious placement of crafted messages when git was compiled with runtime prefix | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acrosby, adudiak, bdettelb, caswilli, dffrench, dkuc, fjansen, gzaronik, hbraun, hhorak, hkataria, ikanias, jary, jburrell, jmitchel, jorton, jtanner, kaycoth, kshier, micjohns, ngough, nweather, opohorel, psegedy, rgodfrey, rravi, security-response-team, stcannon, sthirugn, tkasparek, tmeszaro, tmz, tohughes, tsasak, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in Git. This security flaw occurs when Git compiles with runtime prefix support and runs without translated messages, and it still uses the gettext machinery to display messages, which subsequently looks for translated messages in unexpected places. This flaw allows the malicious placement of crafted messages.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-31 18:44:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2188347, 2188348, 2188349, 2188358, 2188360, 2188361, 2188363, 2188367, 2188369, 2188370, 2188371, 2188372, 2188373, 2188374, 2188375, 2189770, 2189771, 2189772 | ||
| Bug Blocks: | 2188310 | ||
|
Description
Sandipan Roy
2023-04-20 13:51:40 UTC
Created git tracking bugs for this issue: Affects: fedora-36 [bug 2189770] Affects: fedora-37 [bug 2189771] Affects: fedora-38 [bug 2189772] Git is not compiled with a runtime prefix in Fedora. Therefore this issue does not affect the Fedora git packages. This is true for the RHEL packages as well, though I'm sure someone from Red Hat will want to make that assessment and update the bugs as needed. I closed all the Fedora bugs. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3192 https://access.redhat.com/errata/RHSA-2023:3192 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:3243 https://access.redhat.com/errata/RHSA-2023:3243 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:3248 https://access.redhat.com/errata/RHSA-2023:3248 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3245 https://access.redhat.com/errata/RHSA-2023:3245 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3246 https://access.redhat.com/errata/RHSA-2023:3246 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3247 https://access.redhat.com/errata/RHSA-2023:3247 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:3280 https://access.redhat.com/errata/RHSA-2023:3280 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2023:3382 https://access.redhat.com/errata/RHSA-2023:3382 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-25815 |