SUSE update for git

Published: 2023-01-20 | Updated: 2023-02-15

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2022-23521 CVE-2022-41903
CWE-ID	CWE-190 CWE-122
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Realtime Extension Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system SUSE Linux Enterprise Module for Development Tools Operating systems & Components / Operating system SUSE Linux Enterprise Module for Basesystem Operating systems & Components / Operating system SUSE Linux Enterprise Desktop Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications Operating systems & Components / Operating system git-doc Operating systems & Components / Operating system package or component perl-Git Operating systems & Components / Operating system package or component gitk Operating systems & Components / Operating system package or component git-web Operating systems & Components / Operating system package or component git-svn Operating systems & Components / Operating system package or component git-p4 Operating systems & Components / Operating system package or component git-gui Operating systems & Components / Operating system package or component git-email Operating systems & Components / Operating system package or component git-debugsource Operating systems & Components / Operating system package or component git-debuginfo Operating systems & Components / Operating system package or component git-daemon-debuginfo Operating systems & Components / Operating system package or component git-daemon Operating systems & Components / Operating system package or component git-cvs Operating systems & Components / Operating system package or component git-credential-libsecret-debuginfo Operating systems & Components / Operating system package or component git-credential-libsecret Operating systems & Components / Operating system package or component git-credential-gnome-keyring-debuginfo Operating systems & Components / Operating system package or component git-credential-gnome-keyring Operating systems & Components / Operating system package or component git-core-debuginfo Operating systems & Components / Operating system package or component git-core Operating systems & Components / Operating system package or component git-arch Operating systems & Components / Operating system package or component git Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Integer overflow

EUVDB-ID: #VU71239

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23521

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing the .gitattributes attributes. A remote attacker can trick the victim into cloning a specially crafted repository and execute arbitrary code on the system.

Mitigation

Update the affected package git to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP3

SUSE Linux Enterprise Server: 15-SP3-LTSS - 15-SP4

SUSE Linux Enterprise Realtime Extension: 15-SP3

SUSE Linux Enterprise High Performance Computing: 15-SP3-ESPOS - 15-SP4

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.2 - 4.3

SUSE Manager Server: 4.2 - 4.3

SUSE Manager Proxy: 4.2 - 4.3

SUSE Linux Enterprise Module for Development Tools: 15-SP4

SUSE Linux Enterprise Module for Basesystem: 15-SP4

SUSE Linux Enterprise Desktop: 15-SP4

openSUSE Leap: 15.4

SUSE Linux Enterprise Server for SAP Applications: 15-SP4

git-doc: before 2.35.3-150300.10.21.1

perl-Git: before 2.35.3-150300.10.21.1

gitk: before 2.35.3-150300.10.21.1

git-web: before 2.35.3-150300.10.21.1

git-svn: before 2.35.3-150300.10.21.1

git-p4: before 2.35.3-150300.10.21.1

git-gui: before 2.35.3-150300.10.21.1

git-email: before 2.35.3-150300.10.21.1

git-debugsource: before 2.35.3-150300.10.21.1

git-debuginfo: before 2.35.3-150300.10.21.1

git-daemon-debuginfo: before 2.35.3-150300.10.21.1

git-daemon: before 2.35.3-150300.10.21.1

git-cvs: before 2.35.3-150300.10.21.1

git-credential-libsecret-debuginfo: before 2.35.3-150300.10.21.1

git-credential-libsecret: before 2.35.3-150300.10.21.1

git-credential-gnome-keyring-debuginfo: before 2.35.3-150300.10.21.1

git-credential-gnome-keyring: before 2.35.3-150300.10.21.1

git-core-debuginfo: before 2.35.3-150300.10.21.1

git-core: before 2.35.3-150300.10.21.1

git-arch: before 2.35.3-150300.10.21.1

git: before 2.35.3-150300.10.21.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20230110-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

EUVDB-ID: #VU71238