CVE-2023-29007: 
vulnerability analysis and mitigation

CVE-2023-29007 affects Git, a distributed revision control system. The vulnerability was discovered by André Baptista and Vítor Pinho of Ethiack and disclosed in April 2023. The issue affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. The vulnerability involves a specially crafted .gitmodules file with submodule URLs longer than 1024 characters that can exploit a bug in config.c::git_config_copy_or_rename_section_in_file() (GitHub Advisory, NVD).

The vulnerability exists in the function responsible for renaming or deleting existing configuration sections in-place. When processing submodule URLs longer than 1024 characters, the system can improperly treat configuration values as the beginning of new sections. This occurs specifically in the git_config_copy_or_rename_section_in_file() function. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NVD and 7.0 (HIGH) by GitHub, with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, GitHub Advisory).

When exploited, this vulnerability can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. The attacker can inject configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.), potentially leading to remote code execution (GitHub Advisory).

As a workaround, users should avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config. The permanent fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1 (NVD, GitHub Advisory).