]> git.ipfire.org Git - thirdparty/git.git/commit
projects / thirdparty / git.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(merge: 27fbab4 a1ccd25)
Merge branch 'ml/replace-auto-execok'
authorJohannes Sixt <j6t@kdbg.org>
Tue, 20 May 2025 06:54:24 +0000 (08:54 +0200)
committerTaylor Blau <me@ttaylorr.com>
Fri, 23 May 2025 21:04:30 +0000 (17:04 -0400)
commita7d1716fa648f6557ea9c91e0f04bae2e8738e6a
tree64b5354ac410b05e589830d1722b294faec3966btree | snapshot
parent27fbab4898620183e608865beffd960139c04d58commit | diff
parenta1ccd2512072cf52835050f4c97a4fba9f0ec8f9commit | diff
Merge branch 'ml/replace-auto-execok'

This addresses CVE-2025-46334, Git GUI malicious command injection on
Windows.

A malicious repository can ship versions of sh.exe or typical textconv
filter programs such as astextplain.  Due to the unfortunate design of
Tcl on Windows, the search path when looking for an executable always
includes the current directory.  The mentioned programs are invoked when
the user selects "Git Bash" or "Browse Files" from the menu.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
git-gui/git-gui.sh diff1 | diff2 | blob | history
git-gui/lib/shortcut.tcl diff1 | diff2 | blob | history
git-gui/lib/sshkey.tcl diff1 | diff2 | blob | history
git-gui/lib/tools.tcl diff1 | diff2 | blob | history
Unnamed repository; edit this file 'description' to name the repository.