git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Praveen Kumar <praveen.kumar@windriver.com>
	Mon, 1 Sep 2025 07:28:38 +0000 (12:58 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Tue, 2 Sep 2025 16:19:51 +0000 (09:19 -0700)
commit	34cb9674a5ce337a75af0dc415706d0323c427a6
tree	fc0e34c6fb4e0cdc88bcba9c9268d43d824e3f64	tree \| snapshot
parent	1ced84bbd4ab15f0f16176e367744b496a0ea97c	commit \| diff

git: fix CVE-2025-48384

Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations
and full access to internals. When reading a config value, Git strips
any trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the CR
to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the altered
path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path
to the submodule hooks directory, and the submodule contains an
executable post-checkout hook, the script may be unintentionally
executed after checkout. This vulnerability is fixed in v2.43.7,
v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-48384

Upstream-patch:
https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/git/git/CVE-2025-48384.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/git/git_2.35.7.bb		diff \| blob \| blame \| history