Git - v2.30.8


This release addresses the security issues CVE-2023-22490 and

Fixes since v2.30.7

  • CVE-2023-22490:

Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.

These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as

  • CVE-2023-23946:

By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git

  • A mismatched type in attr.c::read_attr_from_index() which could
    cause Git to errantly reject attributes on Windows and 32-bit Linux
    has been corrected.

Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
developed by Taylor Blau, with additional help from others on the
Git security mailing list.

Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
fix was developed by Patrick Steinhardt.

Johannes Schindelin (1):
attr: adjust a mismatched data type

Patrick Steinhardt (1):
apply: fix writing behind newly created symbolic links

Taylor Blau (3):
t5619: demonstrate clone_local() with ambiguous transport
clone: delay picking a transport until after get_repo_path()
dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS


Register or login to:
  • 🔍View and search all Git releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google