CVE-2023-25815: Git looks for localized messages in the wrong place
First published: Thu Apr 20 2023(Updated: )
A vulnerability was found in Git. This security flaw occurs when Git compiles with runtime prefix support and runs without translated messages, and it still uses the gettext machinery to display messages, which subsequently looks for translated messages in unexpected places. This flaw allows the malicious placement of crafted messages.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Visual Studio 2017 (includes 15.0 - 15.8) | =15.9 | |
| redhat/git | <0:2.39.3-1.el8_8 | 0:2.39.3-1.el8_8 |
| redhat/git | <0:2.18.4-3.el8_1 | 0:2.18.4-3.el8_1 |
| redhat/git | <0:2.18.4-4.el8_2 | 0:2.18.4-4.el8_2 |
| redhat/git | <0:2.27.0-4.el8_4 | 0:2.27.0-4.el8_4 |
| redhat/git | <0:2.31.1-4.el8_6 | 0:2.31.1-4.el8_6 |
| redhat/git | <0:2.39.3-1.el9_2 | 0:2.39.3-1.el9_2 |
| redhat/git | <0:2.31.1-5.el9_0 | 0:2.31.1-5.el9_0 |
| redhat/rh-git227-git | <0:2.27.0-6.el7 | 0:2.27.0-6.el7 |
| Microsoft Visual Studio 2019 (includes 16.0 - 16.10) | =16.11 | |
| Microsoft Visual Studio 2022 | =17.2 | |
| Microsoft Visual Studio 2022 | =17.0 | |
| Microsoft Visual Studio 2022 | =17.4 | |
| Git For Windows Project Git For Windows | <2.40.1 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| debian/git | <=1:2.30.2-1+deb11u2 | 1:2.30.2-1+deb11u3 1:2.39.5-0+deb12u1 1:2.45.2-1 1:2.45.2-1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-25815 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2023-25815 https://nvd.nist.gov/vuln/detail/CVE-2023-25815
- https://bugzilla.redhat.com/show_bug.cgi?id=2188337
- https://access.redhat.com/errata/RHSA-2023:3246
- https://access.redhat.com/errata/RHSA-2023:3192
- https://access.redhat.com/errata/RHSA-2023:3382
- https://access.redhat.com/errata/RHSA-2023:3243
- https://access.redhat.com/errata/RHSA-2023:3247
- https://access.redhat.com/errata/RHSA-2023:3245
- https://access.redhat.com/errata/RHSA-2023:3248
- https://access.redhat.com/errata/RHSA-2023:3280
- https://access.redhat.com/security/cve/cve-2023-25815
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189770
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189771
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189772
- http://www.openwall.com/lists/oss-security/2023/04/25/2
- https://axcheron.github.io/exploit-101-format-strings/#writing-to-the-stack
- https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1
- https://github.com/git-for-windows/git/security/advisories/GHSA-9w66-8mq8-5vm8
- https://github.com/msys2/MINGW-packages/pull/10461
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
- https://pubs.opengroup.org/onlinepubs/9699919799/functions/printf.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
- https://security.gentoo.org/glsa/202312-15
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815
- https://nvd.nist.gov/vuln/detail/CVE-2023-25815
- https://launchpad.net/bugs/cve/CVE-2023-25815
- https://security-tracker.debian.org/tracker/CVE-2023-25815
- https://ubuntu.com/security/CVE-2023-25815
- https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
- https://github.com/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046
Parent vulnerabilities
(Appears in the following advisories)
- collector/msrc
- collector/msrc-cve
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-25815
- agent/weakness
- agent/remedy
- agent/title
- agent/severity
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/references
- agent/tags
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-cve
- agent/last-modified-date
- agent/trending
- vendor/microsoft
- canonical/microsoft visual studio 2017 (includes 15.0 - 15.8)
- version/microsoft visual studio 2017 (includes 15.0 - 15.8)/15.9
- package-manager/redhat
- canonical/microsoft visual studio 2019 (includes 16.0 - 16.10)
- version/microsoft visual studio 2019 (includes 16.0 - 16.10)/16.11
- canonical/microsoft visual studio 2022
- version/microsoft visual studio 2022/17.2
- version/microsoft visual studio 2022/17.0
- version/microsoft visual studio 2022/17.4
- version/microsoft visual studio 2022/17.6
- vendor/git for windows project
- canonical/git for windows project git for windows
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian