1 +
Git v2.43.7 Release Notes
2 +
=========================
3 + 4 +
This release includes fixes for CVE-2025-27613, CVE-2025-27614,
5 +
CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
6 +
CVE-2025-48386.
7 + 8 +
Fixes since v2.43.6
9 +
-------------------
10 + 11 +
* CVE-2025-27613, Gitk:
12 + 13 +
When a user clones an untrusted repository and runs Gitk without
14 +
additional command arguments, any writable file can be created and
15 +
truncated. The option "Support per-file encoding" must have been
16 +
enabled. The operation "Show origin of this line" is affected as
17 +
well, regardless of the option being enabled or not.
18 + 19 +
* CVE-2025-27614, Gitk:
20 + 21 +
A Git repository can be crafted in such a way that a user who has
22 +
cloned the repository can be tricked into running any script
23 +
supplied by the attacker by invoking `gitk filename`, where
24 +
`filename` has a particular structure.
25 + 26 +
* CVE-2025-46334, Git GUI (Windows only):
27 + 28 +
A malicious repository can ship versions of sh.exe or typical
29 +
textconv filter programs such as astextplain. On Windows, path
30 +
lookup can find such executables in the worktree. These programs
31 +
are invoked when the user selects "Git Bash" or "Browse Files" from
32 +
the menu.
33 + 34 +
* CVE-2025-46835, Git GUI:
35 + 36 +
When a user clones an untrusted repository and is tricked into
37 +
editing a file located in a maliciously named directory in the
38 +
repository, then Git GUI can create and overwrite any writable
39 +
file.
40 + 41 +
* CVE-2025-48384, Git:
42 + 43 +
When reading a config value, Git strips any trailing carriage
44 +
return and line feed (CRLF). When writing a config entry, values
45 +
with a trailing CR are not quoted, causing the CR to be lost when
46 +
the config is later read. When initializing a submodule, if the
47 +
submodule path contains a trailing CR, the altered path is read
48 +
resulting in the submodule being checked out to an incorrect
49 +
location. If a symlink exists that points the altered path to the
50 +
submodule hooks directory, and the submodule contains an executable
51 +
post-checkout hook, the script may be unintentionally executed
52 +
after checkout.
53 + 54 +
* CVE-2025-48385, Git:
55 + 56 +
When cloning a repository Git knows to optionally fetch a bundle
57 +
advertised by the remote server, which allows the server-side to
58 +
offload parts of the clone to a CDN. The Git client does not
59 +
perform sufficient validation of the advertised bundles, which
60 +
allows the remote side to perform protocol injection.
61 + 62 +
This protocol injection can cause the client to write the fetched
63 +
bundle to a location controlled by the adversary. The fetched
64 +
content is fully controlled by the server, which can in the worst
65 +
case lead to arbitrary code execution.
66 + 67 +
* CVE-2025-48386, Git:
68 + 69 +
The wincred credential helper uses a static buffer (`target`) as a
70 +
unique key for storing and comparing against internal storage. This
71 +
credential helper does not properly bounds check the available
72 +
space remaining in the buffer before appending to it with
73 +
`wcsncat()`, leading to potential buffer overflows.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4