From: Johannes Sixt <j6t@kdbg.org>
Date: Wed, 14 May 2025 16:27:05 +0000 (+0200)
Subject: Merge branch 'ah/fix-open-with-stdin'
X-Git-Tag: v2.43.7~4^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e7e3b792e6973e09de6ddc191b86bbc245c53dd;p=thirdparty%2Fgit.git

Merge branch 'ah/fix-open-with-stdin'

This addresses CVE-2025-27614, Arbitrary command execution with Gitk:

A Git repository can be crafted in such a way that with some social
engineering a user who has cloned the repository can be tricked into
running any script (e.g., Bourne shell, Perl, Python, ...) supplied by
the attacker by invoking `gitk filename`, where `filename` has a
particular structure. The script is run with the privileges of the user.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
---

4e7e3b792e6973e09de6ddc191b86bbc245c53dd