From: Peter Korsgaard <peter@korsgaard.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Matt Weber <matthew.weber@collins.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/git: security bump to version 2.31.5
Date: Fri, 02 Dec 2022 19:45:28 +0100 [thread overview]
Message-ID: <874judablj.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20221126131310.51007-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Sat, 26 Nov 2022 14:13:10 +0100")
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fixes:
> * CVE-2022-39253:
> When relying on the `--local` clone optimization, Git dereferences
> symbolic links in the source repository before creating hardlinks
> (or copies) of the dereferenced link in the destination repository.
> This can lead to surprising behavior where arbitrary files are
> present in a repository's `$GIT_DIR` when cloning from a malicious
> repository.
> Git will no longer dereference symbolic links via the `--local`
> clone mechanism, and will instead refuse to clone repositories that
> have symbolic links present in the `$GIT_DIR/objects` directory.
> Additionally, the value of `protocol.file.allow` is changed to be
> "user" by default.
> * CVE-2022-39260:
> An overly-long command string given to `git shell` can result in
> overflow in `split_cmdline()`, leading to arbitrary heap writes and
> remote code execution when `git shell` is exposed and the directory
> `$HOME/git-shell-commands` exists.
> `git shell` is taught to refuse interactive commands that are
> longer than 4MiB in size. `split_cmdline()` is hardened to reject
> inputs larger than 2GiB.
> https://github.com/git/git/blob/v2.31.5/Documentation/RelNotes/2.31.5.txt
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-12-02 18:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-26 13:13 [Buildroot] [PATCH 1/1] package/git: security bump to version 2.31.5 Fabrice Fontaine
2022-12-02 18:45 ` Peter Korsgaard [this message]
2022-12-07 13:34 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874judablj.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
--cc=matthew.weber@collins.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox