CVE-2023-29007

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a
specially crafted .gitmodules file with submodule URLs that are longer
than 1024 characters can used to exploit a bug in
config.c::git_config_copy_or_rename_section_in_file(). This bug can be
used to inject arbitrary configuration into a user’s $GIT_DIR/config when
attempting to remove the configuration section associated with that
submodule. When the attacker injects configuration values which specify
executables to run (such as core.pager, core.editor, core.sshCommand,
etc.) this can lead to a remote code execution. A fix A fix is available in
versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7,
2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any
submodule sections in $GIT_DIR/config.