CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages.
Created git tracking bugs for this issue: Affects: fedora-36 [bug 2189770] Affects: fedora-37 [bug 2189771] Affects: fedora-38 [bug 2189772]
Git is not compiled with a runtime prefix in Fedora. Therefore this issue does not affect the Fedora git packages. This is true for the RHEL packages as well, though I'm sure someone from Red Hat will want to make that assessment and update the bugs as needed. I closed all the Fedora bugs.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3192 https://access.redhat.com/errata/RHSA-2023:3192
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:3243 https://access.redhat.com/errata/RHSA-2023:3243
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:3248 https://access.redhat.com/errata/RHSA-2023:3248
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3245 https://access.redhat.com/errata/RHSA-2023:3245
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3246 https://access.redhat.com/errata/RHSA-2023:3246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3247 https://access.redhat.com/errata/RHSA-2023:3247
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:3280 https://access.redhat.com/errata/RHSA-2023:3280
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2023:3382 https://access.redhat.com/errata/RHSA-2023:3382
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-25815