1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1110170: trixie-pu: package git/1:2.47.3-0+deb13u1 (1/7)

    From Adrian Bunk@21:1/5 to All on Thu Jul 31 02:30:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    Tags: trixie
    X-Debbugs-Cc: [email protected], [email protected]
    Control: affects -1 + src:git
    User: [email protected]
    Usertags: pu

    * New upstream release.
    - CVE-2025-27613: gitk: file creation/truncation after cloning
    untrusted repository
    - CVE-2025-27614: gitk: user can be tricked into running any
    script after cloning untrusted repository
    - CVE-2025-46835: git-gui: file creation/overwriting after
    cloning untrusted repository
    - CVE-2025-48384: script execution after cloning untrusted
    repository
    - CVE-2025-48385: protocol injection when fetching
    - Closes: #1108983

    The only other changes in the new release are fixes for
    two Windows-only CVEs.

    diffstat for git-2.47.2 git-2.47.3

    Documentation/RelNotes/2.43.7.txt | 73
    Documentation/RelNotes/2.44.4.txt | 7
    Documentation/RelNotes/2.45.4.txt | 7
    Documentation/RelNotes/2.46.4.txt | 7
    Documentation/RelNotes/2.47.3.txt | 8
    GIT-VERSION-GEN | 2
    RelNotes | 37
    bundle-uri.c | 22
    config.c | 2
    configure | 2086 +++++++++++---------
    contrib/credential/wincred/git-credential-wincred.c | 22
    debian/changelog | 17
    git-gui/git-gui.sh | 510 ++--
    git-gui/lib/blame.tcl | 12
    git-gui/lib/branch.tcl | 6
    git-gui/lib/browser.tcl | 2
    git-gui/lib/checkout_op.tcl | 25
    git-gui/lib/choose_repository.tcl | 23
    git-gui/lib/choose_rev.tcl | 8
    git-gui/lib/commit.tcl | 14
    git-gui/lib/console.tcl | 5
    git-gui/lib/database.tcl | 2
    git-gui/lib/diff.tcl | 12
    git-gui/lib/index.tcl | 8
    git-gui/lib/merge.tcl | 6
    git-gui/lib/mergetool.tcl | 8
    git-gui/lib/remote.tcl | 8
    git-gui/lib/remote_branch_delete.tcl | 2
    git-gui/lib/shortcut.tcl | 14
    git-gui/lib/sshkey.tcl | 7
    git-gui/lib/tools.tcl | 7
    git-gui/lib/win32.tcl | 9
    git-gui/version | 2
    gitk-git/gitk | 278 +-
    t/t1300-config.sh | 11
    t/t5558-clone-bundle-uri.sh | 23
    t/t7450-bad-git-dotfiles.sh | 33
    version | 2
    38 files changed, 1989 insertions(+), 1338 deletions(-)

    diff -Nru git-2.47.2/bundle-uri.c git-2.47.3/bundle-uri.c
    --- git-2.47.2/bundle-uri.c 2025-01-14 00:17:08.000000000 +0200
    +++ git-2.47.3/bundle-uri.c 2025-06-14 01:20:03.000000000 +0300
    @@ -296,6 +296,28 @@
    struct strbuf line = STRBUF_INIT;
    int found_get = 0;

    + /*
    + * The protocol we speak with git-remote-https(1) uses a space to
    + * separate between URI and file, so the URI itself must not contain a + * space. If it did, an adversary could change the location where the
    + * downloaded file is being written to.
    + *
    + * Similarly, we use newlines to separate commands from one another.
    + * Consequently, neither the URI nor the file must contain a newline or + * otherwise an adversary could inject arbitrary commands.
    + *
    + * TODO: Restricting newlines in the target paths may break valid
    + * usecases, even if those are a bit more on the esoteric side.
    + * If this ever becomes a problem we should probably think about + * alternatives. One alternative could be to use NUL-delimited
    + * requests in git-remote-htt