* [ANNOUNCE] Git v2.50.1 and friends
@ 2025-07-08 16:59 Junio C Hamano
0 siblings, 0 replies; 3+ messages in thread
From: Junio C Hamano @ 2025-07-08 16:59 UTC (permalink / raw)
To: git; +Cc: Linux Kernel, git-packagers
A maintenance release Git v2.50.1 and others for older maintenance
tracks down to maint-2.43 are now available at the usual places.
This is a set of coordinated security fix releases. Please update
at your earliest convenience.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the v2.43.7,
v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 and v2.50.1
tags:
url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
----------------------------------------------------------------
Git v2.50.1 Release Notes
=========================
This release merges up the fixes that appear in v2.43.7, v2.44.4,
v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the
following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
CVE-2025-48386. See the release notes for v2.43.7 for details.
----------------------------------------------------------------
Git v2.43.7 Release Notes
=========================
This release includes fixes for CVE-2025-27613, CVE-2025-27614,
CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
CVE-2025-48386.
Fixes since v2.43.6
-------------------
* CVE-2025-27613, Gitk:
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
* CVE-2025-27614, Gitk:
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
* CVE-2025-46334, Git GUI (Windows only):
A malicious repository can ship versions of sh.exe or typical
textconv filter programs such as astextplain. On Windows, path
lookup can find such executables in the worktree. These programs
are invoked when the user selects "Git Bash" or "Browse Files" from
the menu.
* CVE-2025-46835, Git GUI:
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
* CVE-2025-48384, Git:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
* CVE-2025-48385, Git:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
* CVE-2025-48386, Git:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
----------------------------------------------------------------
Changes since v2.50.0 are as follows:
Avi Halachmi (:avih) (1):
gitk: encode arguments correctly with "open"
Johannes Sixt (27):
gitk: treat file names beginning with "|" as relative paths
gitk: have callers of diffcmd supply pipe symbol when necessary
gitk: sanitize 'exec' arguments: simple cases
gitk: sanitize 'exec' arguments: 'eval exec'
gitk: sanitize 'exec' arguments: redirections
gitk: sanitize 'exec' arguments: redirections and background
gitk: sanitize 'exec' arguments: redirect to process
gitk: sanitize 'open' arguments: simple commands
gitk: sanitize 'open' arguments: simple commands with redirections
gitk: sanitize 'open' arguments: simple commands, readable and writable
gitk: collect construction of blameargs into a single conditional
gitk: sanitize 'open' arguments: command pipeline
git-gui: remove special treatment of Windows from open_cmd_pipe
git-gui: remove git config --list handling for git < 1.5.3
git-gui: treat file names beginning with "|" as relative paths
git-gui: sanitize 'exec' arguments: simple cases
git-gui: sanitize 'exec' arguments: background
git-gui: remove option --stderr from git_read
git-gui: break out a separate function git_read_nice
git-gui: use git_read in githook_read
gitk: sanitize 'open' arguments: revisit recently updated 'open' calls
git-gui: convert git_read*, git_write to be non-variadic
git-gui: pass redirections as separate argument to _open_stdout_stderr
git-gui: pass redirections as separate argument to git_read
git-gui: introduce function git_redir for git calls with redirections
git-gui: do not mistake command arguments as redirection operators
git-gui: sanitize 'exec' arguments: convert new 'cygpath' calls
Junio C Hamano (2):
Git 2.49.1
Git 2.50.1
Justin Tobler (1):
config: quote values containing CR character
Mark Levedahl (13):
git-gui: _which, only add .exe suffix if not present
git-gui: use [is_Windows], not bad _shellpath
git-gui: make _shellpath usable on startup
git-gui: remove Tcl 8.4 workaround on 2>@1 redirection
git-gui: use only the configured shell
git-gui: remove HEAD detachment implementation for git < 1.5.3
git-gui: remove unused proc is_shellscript
git-gui: avoid auto_execok for git-bash menu item
git-gui: avoid auto_execok in do_windows_shortcut
git-gui: cleanup git-bash menu item
git-gui: assure PATH has only absolute elements.
git-gui: sanitize $PATH on all platforms
git-gui: override exec and open only on Windows
Patrick Steinhardt' via Git Security (1):
bundle-uri: fix arbitrary file writes via parameter injection
Taylor Blau (7):
wincred: avoid buffer overflow in wcsncat()
Git 2.43.7
Git 2.44.4
Git 2.45.4
Git 2.46.4
Git 2.47.3
Git 2.48.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ANNOUNCE] Git v2.50.1 and friends
@ 2025-07-08 17:01 Junio C Hamano
2025-07-08 20:28 ` Todd Zullinger
0 siblings, 1 reply; 3+ messages in thread
From: Junio C Hamano @ 2025-07-08 17:01 UTC (permalink / raw)
To: git; +Cc: Linux Kernel, git-packagers
A maintenance release Git v2.50.1 and others for older maintenance
tracks down to maint-2.43 are now available at the usual places.
This is a set of coordinated security fix releases. Please update
at your earliest convenience.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the v2.43.7,
v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 and v2.50.1
tags:
url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
----------------------------------------------------------------
Git v2.50.1 Release Notes
=========================
This release merges up the fixes that appear in v2.43.7, v2.44.4,
v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the
following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
CVE-2025-48386. See the release notes for v2.43.7 for details.
----------------------------------------------------------------
Git v2.43.7 Release Notes
=========================
This release includes fixes for CVE-2025-27613, CVE-2025-27614,
CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
CVE-2025-48386.
Fixes since v2.43.6
-------------------
* CVE-2025-27613, Gitk:
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
* CVE-2025-27614, Gitk:
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
* CVE-2025-46334, Git GUI (Windows only):
A malicious repository can ship versions of sh.exe or typical
textconv filter programs such as astextplain. On Windows, path
lookup can find such executables in the worktree. These programs
are invoked when the user selects "Git Bash" or "Browse Files" from
the menu.
* CVE-2025-46835, Git GUI:
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
* CVE-2025-48384, Git:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
* CVE-2025-48385, Git:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
* CVE-2025-48386, Git:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
----------------------------------------------------------------
Changes since v2.50.0 are as follows:
Avi Halachmi (:avih) (1):
gitk: encode arguments correctly with "open"
Johannes Sixt (27):
gitk: treat file names beginning with "|" as relative paths
gitk: have callers of diffcmd supply pipe symbol when necessary
gitk: sanitize 'exec' arguments: simple cases
gitk: sanitize 'exec' arguments: 'eval exec'
gitk: sanitize 'exec' arguments: redirections
gitk: sanitize 'exec' arguments: redirections and background
gitk: sanitize 'exec' arguments: redirect to process
gitk: sanitize 'open' arguments: simple commands
gitk: sanitize 'open' arguments: simple commands with redirections
gitk: sanitize 'open' arguments: simple commands, readable and writable
gitk: collect construction of blameargs into a single conditional
gitk: sanitize 'open' arguments: command pipeline
git-gui: remove special treatment of Windows from open_cmd_pipe
git-gui: remove git config --list handling for git < 1.5.3
git-gui: treat file names beginning with "|" as relative paths
git-gui: sanitize 'exec' arguments: simple cases
git-gui: sanitize 'exec' arguments: background
git-gui: remove option --stderr from git_read
git-gui: break out a separate function git_read_nice
git-gui: use git_read in githook_read
gitk: sanitize 'open' arguments: revisit recently updated 'open' calls
git-gui: convert git_read*, git_write to be non-variadic
git-gui: pass redirections as separate argument to _open_stdout_stderr
git-gui: pass redirections as separate argument to git_read
git-gui: introduce function git_redir for git calls with redirections
git-gui: do not mistake command arguments as redirection operators
git-gui: sanitize 'exec' arguments: convert new 'cygpath' calls
Junio C Hamano (2):
Git 2.49.1
Git 2.50.1
Justin Tobler (1):
config: quote values containing CR character
Mark Levedahl (13):
git-gui: _which, only add .exe suffix if not present
git-gui: use [is_Windows], not bad _shellpath
git-gui: make _shellpath usable on startup
git-gui: remove Tcl 8.4 workaround on 2>@1 redirection
git-gui: use only the configured shell
git-gui: remove HEAD detachment implementation for git < 1.5.3
git-gui: remove unused proc is_shellscript
git-gui: avoid auto_execok for git-bash menu item
git-gui: avoid auto_execok in do_windows_shortcut
git-gui: cleanup git-bash menu item
git-gui: assure PATH has only absolute elements.
git-gui: sanitize $PATH on all platforms
git-gui: override exec and open only on Windows
Patrick Steinhardt' via Git Security (1):
bundle-uri: fix arbitrary file writes via parameter injection
Taylor Blau (7):
wincred: avoid buffer overflow in wcsncat()
Git 2.43.7
Git 2.44.4
Git 2.45.4
Git 2.46.4
Git 2.47.3
Git 2.48.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ANNOUNCE] Git v2.50.1 and friends
2025-07-08 17:01 [ANNOUNCE] Git v2.50.1 and friends Junio C Hamano
@ 2025-07-08 20:28 ` Todd Zullinger
0 siblings, 0 replies; 3+ messages in thread
From: Todd Zullinger @ 2025-07-08 20:28 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Justin Tobler, git, Linux Kernel, git-packagers
Junio C Hamano wrote:
> A maintenance release Git v2.50.1 and others for older maintenance
> tracks down to maint-2.43 are now available at the usual places.
I was building v2.45.4 on an older system and two tests
failed:
t1300.237 writing value with trailing CR not stripped on read
t7450.50 submodule must not checkout into different directory
These both look like they use new git config syntax (get,
set, unset) which is not available in the older releases.
I haven't done enough digging to determine when the syntax
changed to prepare a proper patch, but I thought I'd mention
it, in case anyone else runs into a similar issue or is
highly motivated to work up a patch against which ever older
releases need it.
The fix looks something like this, I believe:
-- >8 --
diff --git i/t/t1300-config.sh w/t/t1300-config.sh
index 00f34c5a01..3ed4a0b1ce 100755
--- i/t/t1300-config.sh
+++ w/t/t1300-config.sh
@@ -2743,8 +2743,8 @@ test_expect_success 'writing value with trailing CR not stripped on read' '
printf "bar\r\n" >expect &&
git init cr-test &&
- git -C cr-test config set core.foo $(printf "bar\r") &&
- git -C cr-test config get core.foo >actual &&
+ git -C cr-test config core.foo $(printf "bar\r") &&
+ git -C cr-test config --get core.foo >actual &&
test_cmp expect actual
'
diff --git i/t/t7450-bad-git-dotfiles.sh w/t/t7450-bad-git-dotfiles.sh
index ff63c05652..38b9db85cd 100755
--- i/t/t7450-bad-git-dotfiles.sh
+++ w/t/t7450-bad-git-dotfiles.sh
@@ -388,10 +388,10 @@ test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into d
git -C repo mv sub $(printf "sub\r") &&
# Ensure config values containing CR are wrapped in quotes.
- git config unset -f repo/.gitmodules submodule.sub.path &&
+ git config --unset -f repo/.gitmodules submodule.sub.path &&
printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules &&
- git config unset -f repo/.git/modules/sub/config core.worktree &&
+ git config --unset -f repo/.git/modules/sub/config core.worktree &&
{
printf "[core]\n" &&
printf "\tworktree = \"../../../sub\r\"\n"
--
Todd
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-08 20:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-08 17:01 [ANNOUNCE] Git v2.50.1 and friends Junio C Hamano
2025-07-08 20:28 ` Todd Zullinger
-- strict thread matches above, loose matches on Subject: below --
2025-07-08 16:59 Junio C Hamano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).