From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Fri, 12 Apr 2024 22:28:19 +0000 (+0200)
Subject: Merge branch 'ownership-checks-in-local-clones'
X-Git-Tag: v2.39.4~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e65df5eab274bf74c7b570107aacd1303a1e703;p=thirdparty%2Fgit.git

Merge branch 'ownership-checks-in-local-clones'

This topic addresses two CVEs:

- CVE-2024-32020:

  Local clones may end up hardlinking files into the target repository's
  object database when source and target repository reside on the same
  disk. If the source repository is owned by a different user, then
  those hardlinked files may be rewritten at any point in time by the
  untrusted user.

- CVE-2024-32021:

  When cloning a local source repository that contains symlinks via the
  filesystem, Git may create hardlinks to arbitrary user-readable files
  on the same filesystem as the target repository in the objects/
  directory.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---

9e65df5eab274bf74c7b570107aacd1303a1e703