RE: CVE-2024-52005 status?

[<rsbecker@nexbridge.com>]

On November 2, 2025 10:58 AM, brian m. carlson wrote:
>On 2025-11-02 at 00:48:53, Thomas Klausner wrote:
>> Hi!
>>
>> I'm trying to find out more details about CVE-2024-52005 so I can
>> handle it correctly in pkgsrc.
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2024-52005
>>
>> points to
>>
>> https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
>>
>> which lists many affected versions, but no fixed versions.  I only
>> found one reference to the CVE in the release announcement for 'Git
>> for Windows' 2.47.1(2):
>>
>> https://groups.google.com/g/git-packagers/c/ZWDc6K6tYcc/m/VxikezMeCgAJ
>>
>> The CVE description sounds like this also might affect non-Windows Git
>> versions. Can someone please tell me if this was fixed, and in which
>> version?
>
>We determined this was not a vulnerability.  The Git for Windows maintainer
>disagreed and listed it as one nevertheless.
>
>The problem is that on some terminal emulators, including at least some of the ones
>available on Windows, you can execute arbitrary binaries by creating a hyperlink via
>terminal codes and having someone click on it.
>That is, however, a bug in the terminal emulator and not in Git, since clicking a URL
>should not lead to code execution.

If the code that dumps messages like this is localized, perhaps we can run a filter that
removes any non-printable characters (like \ESC) that could trigger this. It might be
switchable in some variable like core.filterUnprintableCharacters=true to opt-in to
prevent this. However, some emulators might just see a URL and treat it like a link,
so I don't know.