]> git.ipfire.org Git - thirdparty/git.git/commitdiff
projects / thirdparty / git.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 27fbab4 a1ccd25)
Merge branch 'ml/replace-auto-execok'
authorJohannes Sixt <j6t@kdbg.org>
Tue, 20 May 2025 06:54:24 +0000 (08:54 +0200)
committerTaylor Blau <me@ttaylorr.com>
Fri, 23 May 2025 21:04:30 +0000 (17:04 -0400)
This addresses CVE-2025-46334, Git GUI malicious command injection on
Windows.

A malicious repository can ship versions of sh.exe or typical textconv
filter programs such as astextplain.  Due to the unfortunate design of
Tcl on Windows, the search path when looking for an executable always
includes the current directory.  The mentioned programs are invoked when
the user selects "Git Bash" or "Browse Files" from the menu.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
1  2 
git-gui/git-gui.sh patch | diff1 | diff2 | blob | history
git-gui/lib/shortcut.tcl patch | diff1 | diff2 | blob | history
git-gui/lib/sshkey.tcl patch | diff1 | diff2 | blob | history
git-gui/lib/tools.tcl patch | diff1 | diff2 | blob | history

diff --cc git-gui/git-gui.sh
Simple merge
diff --cc git-gui/lib/shortcut.tcl
Simple merge
diff --cc git-gui/lib/sshkey.tcl
Simple merge
diff --cc git-gui/lib/tools.tcl
Simple merge
Unnamed repository; edit this file 'description' to name the repository.