This addresses CVE-2025-46835, Git GUI can create and overwrite a
user's files:
When a user clones an untrusted repository and is tricked into editing
a file located in a maliciously named directory in the repository, then
Git GUI can create and overwrite files for which the user has write
permission.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
This addresses CVE-2025-46334, Git GUI malicious command injection on
Windows.
A malicious repository can ship versions of sh.exe or typical textconv
filter programs such as astextplain. Due to the unfortunate design of
Tcl on Windows, the search path when looking for an executable always
includes the current directory. The mentioned programs are invoked when
the user selects "Git Bash" or "Browse Files" from the menu.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
* https://github.com/prati0100/git-gui:
git-gui - use mkshortcut on Cygwin
git-gui - use cygstart to browse on Cygwin
git-gui - remove obsolete Cygwin specific code
git gui Makefile - remove Cygwin modifications
Makefiles: change search through $(MAKEFLAGS) for GNU make 4.4
Work around Tcl's default `PATH` lookup
Move the `_which` function (almost) to the top
Move is_<platform> functions to the beginning
is_Cygwin: avoid `exec`ing anything
windows: ignore empty `PATH` elements
git-gui: Fix a typo in README
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJYCJqmAAoJEDn3Aot9nM55uKQP/11BTzhOr9K3SLzwCr01ylGP
94AOA511vx3fIX5aWQ29S96tGbluo73RdbVsWFKKJcKSErpFPscFEiRkyjeMXE2T
yWWOPOg08tm28ppZNp0Kqjb8VykUUKuG6gVT59DNFUZUqHYQbiQy+t8nwT+Qow3U
dvo6lksovfSaW2FORWIi5KF5gD4v2F9qsbFgr725a8UoBrOmF0SWaCG4/ZYj0WxF
0rq8LjpvmMuQqd06DAoGMIsHa71R61En2QWfJ4YoE5+QRq8wQl37FmX+ojiA1rzY
CG/vJO2Tw4v54wHKK1TCXG7LR4JhTcQZOa6zd8HHsPRn+viGDCMVUG9uMewfxH+m
F47EVMxiKf0subm3fUhycqkvso0r6mOAddhz47RKT7tqU4XOnhPyGw0x6m7evawg
Sz2+fOK3wwX2Qec5o3vBZKaEcOftSrLuZmbi5/j43crvcf+OAs9s/jdq/Ulpkks2
JI2i0DLzHABTbDn6QsuysEZnituks8T8Fdm5NOldritgBNVY81ifatekFscxt6Ct
OrT9eGJk6iZiX1RvS+R7wykKJCBkxiyHqM8vSj5tPWjApgtnopPMudzNX41geaL9
ADeb8LVMTTNL/md8KED0deypilcPNnPbW035rAbyCpAsKbtgO3zdfzdzxsQ+dIvc
MQpCDP5QPPr3toRVdNmb
=VyhL
-----END PGP SIGNATURE-----
Merge tag 'gitgui-0.21.0' of git://repo.or.cz/git-gui
git-gui 0.21.0
* tag 'gitgui-0.21.0' of git://repo.or.cz/git-gui: (22 commits)
git-gui: set version 0.21
git-gui: Mark 'All' in remote.tcl for translation
git-gui i18n: Updated Bulgarian translation (565,0f,0u)
git-gui: avoid persisting modified author identity
git-gui: handle the encoding of Git's output correctly
git-gui: unicode file name support on windows
git-gui: Update Russian translation
git-gui: maintain backwards compatibility for merge syntax
git-gui i18n: mark string in lib/error.tcl for translation
git-gui: fix incorrect use of Tcl append command
git-gui i18n: mark "usage:" strings for translation
git-gui i18n: internationalize use of colon punctuation
git-gui: ensure the file in the diff pane is in the list of selected files
git-gui: support for $FILENAMES in tool definitions
git-gui: fix initial git gui message encoding
git-gui/po/glossary/txt-to-pot.sh: use the $( ... ) construct for command substitution
git-gui (Windows): use git-gui.exe in `Create Desktop Shortcut`
git-gui: fix detection of Cygwin
Amend tab ordering and text widget border and highlighting.
Allow keyboard control to work in the staging widgets.
...
* git://repo.or.cz/git-gui:
git-gui: fix size and position of window panes on startup
git-gui: mc cannot be used before msgcat has been loaded
git-gui: use textconv filter for diff and blame
git-gui: Avoid using the <<Copy>> binding as a menu accelerator on win32
git-gui: fix shortcut creation on cygwin
git-gui: fix PATH environment for mingw development environment
git-gui: fix usage of _gitworktree when creating shortcut for windows
git-gui: fix "Explore Working Copy" for Windows again
git-gui: fix usage of themed widgets variable
git-gui: Handle failure of core.worktree to identify the working directory.
git-gui: check whether systems nice command works or disable it
* git://repo.or.cz/git-gui:
git-gui: update french translation
git-gui: update Japanese translation
git-gui: fix shortcut for menu "Commit/Revert Changes"
git-gui: Quote git path when starting another gui in a submodule
git-gui: update Italian translation
git-gui: Update Swedish translation (520t0f0u)
git-gui: use themed tk widgets with Tk 8.5
git-gui: Update German translation (12 new or changed strings).
git-gui: Update translation template
git-gui: Remove unused icon file_parttick
git-gui: use different icon for new and modified files in the index
git-gui: set GIT_DIR and GIT_WORK_TREE after setup
git-gui: update shortcut tools to use _gitworktree
git-gui: handle bare repos correctly
git-gui: handle non-standard worktree locations
git-gui: Support applying a range of changes at once
git-gui: Add a special diff popup menu for submodules
git-gui: Use git diff --submodule when available
* git://repo.or.cz/git-gui:
git-gui: Fixes for Mac OS X TkAqua
git-gui: Update Russian translation
git-gui: run post-checkout hook after clone
git-gui: Ensure consistent usage of mergetool.keepBackup
git-gui: fix use of undeclared variable diff_empty_count
git-gui (Win): make starting via "Git GUI Here" on .git/ possible
git-gui (Win): make "Explore Working Copy" more robust
git-gui: run post-checkout hook on checkout
git-gui: When calling post-commit hook wrong variable was cleared.
git-gui: use `git --html-path` to get the location of installed HTML docs
git-gui: fix deleting from the context menu with empty selection
git-gui: minor spelling fix and string factorisation.
git-gui: various French translation fixes
git-gui: Fix merge conflict display error when filename contains spaces
git-gui: don't hide the Browse button when resizing the repo chooser
Append ampersand to "Target" of lnk files created by do_cygwin_shortcut
git-gui: Support more git version notations.
git-gui: Avoid an infinite rescan loop in handle_empty_diff.
git-gui: Fix post-commit status with subject in non-locale encoding
* git://repo.or.cz/git-gui: (96 commits)
git-gui 0.9.0
git-gui: Bind Meta-T for "Stage To Commit" menu action
git-gui: Allow users to set font weights to bold
git-gui: Update Japanese strings (part 2)
git-gui: Update Japanese strings
Updated russian translation of git-gui
po2msg: actually output statistics
po2msg: ignore untranslated messages
po2msg: ignore entries marked with "fuzzy"
git-gui: Protect against bad translation strings
git-gui: Make sure we get errors from git-update-index
More updates and corrections to the russian translation of git-gui
Updated Russian translation.
git-gui: Update German translation
git-gui: Add more terms to glossary.
git-gui: Paper bag fix the global config parsing
git-gui: Honor a config.mak in git-gui's top level
git-gui: Collapse $env(HOME) to ~/ in recent repositories on Windows
git-gui: Support cloning Cygwin based work-dirs
git-gui: Use proper Windows shortcuts instead of bat files
...
* commit 'git-gui/master': (36 commits)
git-gui: Change prior tree SHA-1 verification to use git_read
git-gui: Include a space in Cygwin shortcut command lines
git-gui: Use sh.exe in Cygwin shortcuts
git-gui: Paper bag fix for Cygwin shortcut creation
git-gui: Improve the Windows and Mac OS X shortcut creators
git-gui: Teach console widget to use git_read
git-gui: Perform our own magic shbang detection on Windows
git-gui: Treat `git version` as `git --version`
git-gui: Assume unfound commands are known by git wrapper
git-gui: Correct gitk installation location
git-gui: Always use absolute path to all git executables
git-gui: Show a progress meter for checking out files
git-gui: Change the main window progress bar to use status_bar
git-gui: Extract blame viewer status bar into mega-widget
git-gui: Allow double-click in checkout dialog to start checkout
git-gui: Default selection to first matching ref
git-gui: Unabbreviate commit SHA-1s prior to display
git-gui: Refactor branch switch to support detached head
git-gui: Refactor our ui_status_value update technique
git-gui: Better handling of detached HEAD
...
* 'master' of git://repo.or.cz/git-gui:
git-gui: Use vi-like keys in merge dialog
git-gui: Include commit id/subject in merge choices
git-gui: Show all possible branches for merge
git-gui: Move merge support into a namespace
git-gui: Allow vi keys to scroll the diff/blame regions
git-gui: Move console procs into their own namespace
git-gui: Refactor into multiple files to save my sanity
git-gui: Track our own embedded values and rebuild when they change
git-gui: Refactor to use our git proc more often
git-gui: Use option database defaults to set the font
git-gui: Cleanup common font handling for font_ui
git-gui: Correct line wrapping for too many branch message
git-gui: Warn users before making an octopus merge
git-gui: Include the subject in the status bar after commit
Also perform an evil merge change to update Git's main Makefile to
pass the proper options down into git-gui now that it depends on
reasonable values for 'sharedir' and 'TCL_PATH'.
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Johannes Sixt