|
| 1 | +Git v2.43.7 Release Notes |
| 2 | +========================= |
| 3 | + |
| 4 | +This release includes fixes for CVE-2025-27613, CVE-2025-27614, |
| 5 | +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and |
| 6 | +CVE-2025-48386. |
| 7 | + |
| 8 | +Fixes since v2.43.6 |
| 9 | +------------------- |
| 10 | + |
| 11 | + * CVE-2025-27613, Gitk: |
| 12 | + |
| 13 | + When a user clones an untrusted repository and runs Gitk without |
| 14 | + additional command arguments, any writable file can be created and |
| 15 | + truncated. The option "Support per-file encoding" must have been |
| 16 | + enabled. The operation "Show origin of this line" is affected as |
| 17 | + well, regardless of the option being enabled or not. |
| 18 | + |
| 19 | + * CVE-2025-27614, Gitk: |
| 20 | + |
| 21 | + A Git repository can be crafted in such a way that a user who has |
| 22 | + cloned the repository can be tricked into running any script |
| 23 | + supplied by the attacker by invoking `gitk filename`, where |
| 24 | + `filename` has a particular structure. |
| 25 | + |
| 26 | + * CVE-2025-46334, Git GUI (Windows only): |
| 27 | + |
| 28 | + A malicious repository can ship versions of sh.exe or typical |
| 29 | + textconv filter programs such as astextplain. On Windows, path |
| 30 | + lookup can find such executables in the worktree. These programs |
| 31 | + are invoked when the user selects "Git Bash" or "Browse Files" from |
| 32 | + the menu. |
| 33 | + |
| 34 | + * CVE-2025-46835, Git GUI: |
| 35 | + |
| 36 | + When a user clones an untrusted repository and is tricked into |
| 37 | + editing a file located in a maliciously named directory in the |
| 38 | + repository, then Git GUI can create and overwrite any writable |
| 39 | + file. |
| 40 | + |
| 41 | + * CVE-2025-48384, Git: |
| 42 | + |
| 43 | + When reading a config value, Git strips any trailing carriage |
| 44 | + return and line feed (CRLF). When writing a config entry, values |
| 45 | + with a trailing CR are not quoted, causing the CR to be lost when |
| 46 | + the config is later read. When initializing a submodule, if the |
| 47 | + submodule path contains a trailing CR, the altered path is read |
| 48 | + resulting in the submodule being checked out to an incorrect |
| 49 | + location. If a symlink exists that points the altered path to the |
| 50 | + submodule hooks directory, and the submodule contains an executable |
| 51 | + post-checkout hook, the script may be unintentionally executed |
| 52 | + after checkout. |
| 53 | + |
| 54 | + * CVE-2025-48385, Git: |
| 55 | + |
| 56 | + When cloning a repository Git knows to optionally fetch a bundle |
| 57 | + advertised by the remote server, which allows the server-side to |
| 58 | + offload parts of the clone to a CDN. The Git client does not |
| 59 | + perform sufficient validation of the advertised bundles, which |
| 60 | + allows the remote side to perform protocol injection. |
| 61 | + |
| 62 | + This protocol injection can cause the client to write the fetched |
| 63 | + bundle to a location controlled by the adversary. The fetched |
| 64 | + content is fully controlled by the server, which can in the worst |
| 65 | + case lead to arbitrary code execution. |
| 66 | + |
| 67 | + * CVE-2025-48386, Git: |
| 68 | + |
| 69 | + The wincred credential helper uses a static buffer (`target`) as a |
| 70 | + unique key for storing and comparing against internal storage. This |
| 71 | + credential helper does not properly bounds check the available |
| 72 | + space remaining in the buffer before appending to it with |
| 73 | + `wcsncat()`, leading to potential buffer overflows. |
0 commit comments