Bug 1215298 (CVE-2023-4759)

Summary: VUL-0: CVE-2023-4759: jgit,eclipse-jgit: arbitrary file overwrite
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fstrba, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/378072/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4759:7.5:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-09-13 10:51:33 UTC 
CVE-2023-4759

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ .


The JGit maintainers would like to thank RyotaK for finding and reporting this issue.





https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4759
https://bugzilla.redhat.com/show_bug.cgi?id=2238614
Comment 1 Cathy Hu 2023-09-13 10:53:17 UTC 
Affected:
- SUSE:SLE-15-SP2:Update/jgit          5.11.0
- openSUSE:Factory/eclipse-jgit        5.11.0
- openSUSE:Factory/jgit                5.11.0

Affected, but unsupported:
- SUSE:SLE-15-SP2:Update/eclipse-jgit  5.11.0
Comment 4 OBSbugzilla Bot 2023-10-10 16:33:45 UTC 
This is an autogenerated message for OBS integration:
This bug (1215298) was mentioned in
https://build.opensuse.org/request/show/1116714 Factory / eclipse-jgit
Comment 5 OBSbugzilla Bot 2023-10-10 20:33:44 UTC 
This is an autogenerated message for OBS integration:
This bug (1215298) was mentioned in
https://build.opensuse.org/request/show/1116733 Factory / eclipse-jgit
Comment 9 Maintenance Automation 2024-01-08 20:30:05 UTC 
SUSE-SU-2024:0057-1: An update that solves one vulnerability, contains two features and has two security fixes can now be installed.

Category: security (important)
Bug References: 1209646, 1211955, 1215298
CVE References: CVE-2023-4759
Jira References: PED-6376, PED-6377
Sources used:
openSUSE Leap 15.4 (src): eclipse-jgit-5.11.0-150200.3.15.2, jgit-5.11.0-150200.3.15.2, jsch-0.2.9-150200.11.10.1
openSUSE Leap 15.5 (src): eclipse-jgit-5.11.0-150200.3.15.2, jsch-0.2.9-150200.11.10.1
Development Tools Module 15-SP4 (src): jsch-0.2.9-150200.11.10.1
Development Tools Module 15-SP5 (src): jsch-0.2.9-150200.11.10.1
SUSE Manager Server 4.3 Module 4.3 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): jsch-0.2.9-150200.11.10.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): jsch-0.2.9-150200.11.10.1
SUSE Enterprise Storage 7.1 (src): jsch-0.2.9-150200.11.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Fridrich Strba 2024-03-05 09:38:17 UTC 
jgit is a link/multibuild flavour of eclipse-jgit. This one is fixed. Resetting to default for closing.
Comment 12 Andrea Mattiazzo 2024-07-03 13:36:34 UTC 
All done, closing.