CVE-2024-52005 status?

CVE-2024-52005 status?

[Thomas Klausner]

Hi!

I'm trying to find out more details about CVE-2024-52005 so I can
handle it correctly in pkgsrc.

https://nvd.nist.gov/vuln/detail/CVE-2024-52005

points to

https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329

which lists many affected versions, but no fixed versions.  I only
found one reference to the CVE in the release announcement for 'Git
for Windows' 2.47.1(2):

https://groups.google.com/g/git-packagers/c/ZWDc6K6tYcc/m/VxikezMeCgAJ

The CVE description sounds like this also might affect non-Windows Git
versions. Can someone please tell me if this was fixed, and in which
version?

Thanks,
 Thomas

(Please cc me, I'm not subscribed.)

Re: CVE-2024-52005 status?

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1249 bytes --]

On 2025-11-02 at 00:48:53, Thomas Klausner wrote:
> Hi!
> 
> I'm trying to find out more details about CVE-2024-52005 so I can
> handle it correctly in pkgsrc.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2024-52005
> 
> points to
> 
> https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
> 
> which lists many affected versions, but no fixed versions.  I only
> found one reference to the CVE in the release announcement for 'Git
> for Windows' 2.47.1(2):
> 
> https://groups.google.com/g/git-packagers/c/ZWDc6K6tYcc/m/VxikezMeCgAJ
> 
> The CVE description sounds like this also might affect non-Windows Git
> versions. Can someone please tell me if this was fixed, and in which
> version?

We determined this was not a vulnerability.  The Git for Windows
maintainer disagreed and listed it as one nevertheless.

The problem is that on some terminal emulators, including at least some
of the ones available on Windows, you can execute arbitrary binaries by
creating a hyperlink via terminal codes and having someone click on it.
That is, however, a bug in the terminal emulator and not in Git, since
clicking a URL should not lead to code execution.
-- 
brian m. carlson (they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

RE: CVE-2024-52005 status?

[rsbecker]

On November 2, 2025 10:58 AM, brian m. carlson wrote:
>On 2025-11-02 at 00:48:53, Thomas Klausner wrote:
>> Hi!
>>
>> I'm trying to find out more details about CVE-2024-52005 so I can
>> handle it correctly in pkgsrc.
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2024-52005
>>
>> points to
>>
>> https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
>>
>> which lists many affected versions, but no fixed versions.  I only
>> found one reference to the CVE in the release announcement for 'Git
>> for Windows' 2.47.1(2):
>>
>> https://groups.google.com/g/git-packagers/c/ZWDc6K6tYcc/m/VxikezMeCgAJ
>>
>> The CVE description sounds like this also might affect non-Windows Git
>> versions. Can someone please tell me if this was fixed, and in which
>> version?
>
>We determined this was not a vulnerability.  The Git for Windows maintainer
>disagreed and listed it as one nevertheless.
>
>The problem is that on some terminal emulators, including at least some of the ones
>available on Windows, you can execute arbitrary binaries by creating a hyperlink via
>terminal codes and having someone click on it.
>That is, however, a bug in the terminal emulator and not in Git, since clicking a URL
>should not lead to code execution.

If the code that dumps messages like this is localized, perhaps we can run a filter that
removes any non-printable characters (like \ESC) that could trigger this. It might be
switchable in some variable like core.filterUnprintableCharacters=true to opt-in to
prevent this. However, some emulators might just see a URL and treat it like a link,
so I don't know.