Documentation/RelNotes/2.43.7.adoc at reftables-rust

Git fork
git / Documentation / RelNotes / 2.43.7.adoc
at reftables-rust 73 lines 3.0 kB view raw
wrap content
 1Git v2.43.7 Release Notes
 2=========================
 3
 4This release includes fixes for CVE-2025-27613, CVE-2025-27614,
 5CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
 6CVE-2025-48386.
 7
 8Fixes since v2.43.6
 9-------------------
10
11 * CVE-2025-27613, Gitk:
12
13   When a user clones an untrusted repository and runs Gitk without
14   additional command arguments, any writable file can be created and
15   truncated. The option "Support per-file encoding" must have been
16   enabled. The operation "Show origin of this line" is affected as
17   well, regardless of the option being enabled or not.
18
19 * CVE-2025-27614, Gitk:
20
21   A Git repository can be crafted in such a way that a user who has
22   cloned the repository can be tricked into running any script
23   supplied by the attacker by invoking `gitk filename`, where
24   `filename` has a particular structure.
25
26 * CVE-2025-46334, Git GUI (Windows only):
27
28   A malicious repository can ship versions of sh.exe or typical
29   textconv filter programs such as astextplain. On Windows, path
30   lookup can find such executables in the worktree. These programs
31   are invoked when the user selects "Git Bash" or "Browse Files" from
32   the menu.
33
34 * CVE-2025-46835, Git GUI:
35
36   When a user clones an untrusted repository and is tricked into
37   editing a file located in a maliciously named directory in the
38   repository, then Git GUI can create and overwrite any writable
39   file.
40
41 * CVE-2025-48384, Git:
42
43   When reading a config value, Git strips any trailing carriage
44   return and line feed (CRLF). When writing a config entry, values
45   with a trailing CR are not quoted, causing the CR to be lost when
46   the config is later read.  When initializing a submodule, if the
47   submodule path contains a trailing CR, the altered path is read
48   resulting in the submodule being checked out to an incorrect
49   location. If a symlink exists that points the altered path to the
50   submodule hooks directory, and the submodule contains an executable
51   post-checkout hook, the script may be unintentionally executed
52   after checkout.
53
54 * CVE-2025-48385, Git:
55
56   When cloning a repository Git knows to optionally fetch a bundle
57   advertised by the remote server, which allows the server-side to
58   offload parts of the clone to a CDN. The Git client does not
59   perform sufficient validation of the advertised bundles, which
60   allows the remote side to perform protocol injection.
61
62   This protocol injection can cause the client to write the fetched
63   bundle to a location controlled by the adversary. The fetched
64   content is fully controlled by the server, which can in the worst
65   case lead to arbitrary code execution.
66
67 * CVE-2025-48386, Git:
68
69   The wincred credential helper uses a static buffer (`target`) as a
70   unique key for storing and comparing against internal storage. This
71   credential helper does not properly bounds check the available
72   space remaining in the buffer before appending to it with
73   `wcsncat()`, leading to potential buffer overflows.