74 lines
3.0 KiB
Plaintext
74 lines
3.0 KiB
Plaintext
Git v2.43.7 Release Notes
|
|
=========================
|
|
|
|
This release includes fixes for CVE-2025-27613, CVE-2025-27614,
|
|
CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
|
|
CVE-2025-48386.
|
|
|
|
Fixes since v2.43.6
|
|
-------------------
|
|
|
|
* CVE-2025-27613, Gitk:
|
|
|
|
When a user clones an untrusted repository and runs Gitk without
|
|
additional command arguments, any writable file can be created and
|
|
truncated. The option "Support per-file encoding" must have been
|
|
enabled. The operation "Show origin of this line" is affected as
|
|
well, regardless of the option being enabled or not.
|
|
|
|
* CVE-2025-27614, Gitk:
|
|
|
|
A Git repository can be crafted in such a way that a user who has
|
|
cloned the repository can be tricked into running any script
|
|
supplied by the attacker by invoking `gitk filename`, where
|
|
`filename` has a particular structure.
|
|
|
|
* CVE-2025-46334, Git GUI (Windows only):
|
|
|
|
A malicious repository can ship versions of sh.exe or typical
|
|
textconv filter programs such as astextplain. On Windows, path
|
|
lookup can find such executables in the worktree. These programs
|
|
are invoked when the user selects "Git Bash" or "Browse Files" from
|
|
the menu.
|
|
|
|
* CVE-2025-46835, Git GUI:
|
|
|
|
When a user clones an untrusted repository and is tricked into
|
|
editing a file located in a maliciously named directory in the
|
|
repository, then Git GUI can create and overwrite any writable
|
|
file.
|
|
|
|
* CVE-2025-48384, Git:
|
|
|
|
When reading a config value, Git strips any trailing carriage
|
|
return and line feed (CRLF). When writing a config entry, values
|
|
with a trailing CR are not quoted, causing the CR to be lost when
|
|
the config is later read. When initializing a submodule, if the
|
|
submodule path contains a trailing CR, the altered path is read
|
|
resulting in the submodule being checked out to an incorrect
|
|
location. If a symlink exists that points the altered path to the
|
|
submodule hooks directory, and the submodule contains an executable
|
|
post-checkout hook, the script may be unintentionally executed
|
|
after checkout.
|
|
|
|
* CVE-2025-48385, Git:
|
|
|
|
When cloning a repository Git knows to optionally fetch a bundle
|
|
advertised by the remote server, which allows the server-side to
|
|
offload parts of the clone to a CDN. The Git client does not
|
|
perform sufficient validation of the advertised bundles, which
|
|
allows the remote side to perform protocol injection.
|
|
|
|
This protocol injection can cause the client to write the fetched
|
|
bundle to a location controlled by the adversary. The fetched
|
|
content is fully controlled by the server, which can in the worst
|
|
case lead to arbitrary code execution.
|
|
|
|
* CVE-2025-48386, Git:
|
|
|
|
The wincred credential helper uses a static buffer (`target`) as a
|
|
unique key for storing and comparing against internal storage. This
|
|
credential helper does not properly bounds check the available
|
|
space remaining in the buffer before appending to it with
|
|
`wcsncat()`, leading to potential buffer overflows.
|