This addresses CVE-2025-46835, Git GUI can create and overwrite a
user's files:
When a user clones an untrusted repository and is tricked into editing
a file located in a maliciously named directory in the repository, then
Git GUI can create and overwrite files for which the user has write
permission.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
This addresses CVE-2025-46334, Git GUI malicious command injection on
Windows.
A malicious repository can ship versions of sh.exe or typical textconv
filter programs such as astextplain. Due to the unfortunate design of
Tcl on Windows, the search path when looking for an executable always
includes the current directory. The mentioned programs are invoked when
the user selects "Git Bash" or "Browse Files" from the menu.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJYCJqmAAoJEDn3Aot9nM55uKQP/11BTzhOr9K3SLzwCr01ylGP
94AOA511vx3fIX5aWQ29S96tGbluo73RdbVsWFKKJcKSErpFPscFEiRkyjeMXE2T
yWWOPOg08tm28ppZNp0Kqjb8VykUUKuG6gVT59DNFUZUqHYQbiQy+t8nwT+Qow3U
dvo6lksovfSaW2FORWIi5KF5gD4v2F9qsbFgr725a8UoBrOmF0SWaCG4/ZYj0WxF
0rq8LjpvmMuQqd06DAoGMIsHa71R61En2QWfJ4YoE5+QRq8wQl37FmX+ojiA1rzY
CG/vJO2Tw4v54wHKK1TCXG7LR4JhTcQZOa6zd8HHsPRn+viGDCMVUG9uMewfxH+m
F47EVMxiKf0subm3fUhycqkvso0r6mOAddhz47RKT7tqU4XOnhPyGw0x6m7evawg
Sz2+fOK3wwX2Qec5o3vBZKaEcOftSrLuZmbi5/j43crvcf+OAs9s/jdq/Ulpkks2
JI2i0DLzHABTbDn6QsuysEZnituks8T8Fdm5NOldritgBNVY81ifatekFscxt6Ct
OrT9eGJk6iZiX1RvS+R7wykKJCBkxiyHqM8vSj5tPWjApgtnopPMudzNX41geaL9
ADeb8LVMTTNL/md8KED0deypilcPNnPbW035rAbyCpAsKbtgO3zdfzdzxsQ+dIvc
MQpCDP5QPPr3toRVdNmb
=VyhL
-----END PGP SIGNATURE-----
Merge tag 'gitgui-0.21.0' of git://repo.or.cz/git-gui
git-gui 0.21.0
* tag 'gitgui-0.21.0' of git://repo.or.cz/git-gui: (22 commits)
git-gui: set version 0.21
git-gui: Mark 'All' in remote.tcl for translation
git-gui i18n: Updated Bulgarian translation (565,0f,0u)
git-gui: avoid persisting modified author identity
git-gui: handle the encoding of Git's output correctly
git-gui: unicode file name support on windows
git-gui: Update Russian translation
git-gui: maintain backwards compatibility for merge syntax
git-gui i18n: mark string in lib/error.tcl for translation
git-gui: fix incorrect use of Tcl append command
git-gui i18n: mark "usage:" strings for translation
git-gui i18n: internationalize use of colon punctuation
git-gui: ensure the file in the diff pane is in the list of selected files
git-gui: support for $FILENAMES in tool definitions
git-gui: fix initial git gui message encoding
git-gui/po/glossary/txt-to-pot.sh: use the $( ... ) construct for command substitution
git-gui (Windows): use git-gui.exe in `Create Desktop Shortcut`
git-gui: fix detection of Cygwin
Amend tab ordering and text widget border and highlighting.
Allow keyboard control to work in the staging widgets.
...
* 'master' of git://repo.or.cz/git-gui: (28 commits)
git-gui 0.16
git-gui: handle shell script text filters when loading for blame.
git-gui: Set both 16x16 and 32x32 icons on X to pacify Xming.
git-gui: added config gui.gcwarning to disable the gc hint message
git-gui: set whitespace warnings appropriate to this project
git-gui: don't warn for detached head when rebasing
git-gui: make config gui.warndetachedcommit a boolean
git-gui: add config value gui.diffopts for passing additional diff options
git-gui: sort the numeric ansi codes
git-gui: support underline style when parsing diff output
git-gui: fix spelling error in sshkey.tcl
git-gui: include the file path in guitools confirmation dialog
git-gui: span widgets over the full file output area in the blame view
git-gui: use a tristate to control the case mode in the searchbar
git-gui: set suitable extended window manager hints.
git-gui: fix display of path in browser title
git-gui: enable the smart case sensitive search only if gui.search.smartcase is true
git-gui: catch invalid or complete regular expressions and treat as no match.
git-gui: theme the search and line-number entry fields on blame screen
git-gui: include the number of untracked files to stage when asking the user
...
* git://repo.or.cz/git-gui:
git-gui: Fixes for Mac OS X TkAqua
git-gui: Update Russian translation
git-gui: run post-checkout hook after clone
git-gui: Ensure consistent usage of mergetool.keepBackup
git-gui: fix use of undeclared variable diff_empty_count
git-gui (Win): make starting via "Git GUI Here" on .git/ possible
git-gui (Win): make "Explore Working Copy" more robust
git-gui: run post-checkout hook on checkout
git-gui: When calling post-commit hook wrong variable was cleared.
git-gui: use `git --html-path` to get the location of installed HTML docs
git-gui: fix deleting from the context menu with empty selection
git-gui: minor spelling fix and string factorisation.
git-gui: various French translation fixes
git-gui: Fix merge conflict display error when filename contains spaces
git-gui: don't hide the Browse button when resizing the repo chooser
Append ampersand to "Target" of lnk files created by do_cygwin_shortcut
git-gui: Support more git version notations.
git-gui: Avoid an infinite rescan loop in handle_empty_diff.
git-gui: Fix post-commit status with subject in non-locale encoding
* git://repo.or.cz/git-gui:
git-gui: Fix the search bar destruction handler.
Update the po template
git-gui: Implement automatic rescan after Tool execution.
git-gui: Allow Tools request arguments from the user.
git-gui: Add a Tools menu for arbitrary commands.
git-gui: Fix the after callback execution in rescan.
git-gui: Implement system-wide configuration handling.
git-gui: try to provide a window icon under X
Johannes Sixt