| Message ID | 20220413124253.2481210-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/git: security bump to version 2.31.2 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > CVE-2022-24765: > On multi-user machines, Git users might find themselves unexpectedly in > a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended > for all users and another user created a repository in `/scratch/.git`. > Merely having a Git-aware prompt that runs `git status` (or `git diff`) > and navigating to a directory which is supposedly not a Git worktree, or > opening such a directory in an editor or IDE such as VS Code or Atom, will > potentially run commands defined by that other user via > `/scratch/.git/config`. > https://www.openwall.com/lists/oss-security/2022/04/12/7 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > CVE-2022-24765: > On multi-user machines, Git users might find themselves unexpectedly in > a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended > for all users and another user created a repository in `/scratch/.git`. > Merely having a Git-aware prompt that runs `git status` (or `git diff`) > and navigating to a directory which is supposedly not a Git worktree, or > opening such a directory in an editor or IDE such as VS Code or Atom, will > potentially run commands defined by that other user via > `/scratch/.git/config`. > https://www.openwall.com/lists/oss-security/2022/04/12/7 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.02.x, thanks. > --- > package/git/git.hash | 2 +- > package/git/git.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > diff --git a/package/git/git.hash b/package/git/git.hash > index 1db29ac457..5868fbffda 100644 > --- a/package/git/git.hash > +++ b/package/git/git.hash > @@ -1,5 +1,5 @@ > # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc > -sha256 9f61417a44d5b954a5012b6f34e526a3336dcf5dd720e2bb7ada92ad8b3d6680 git-2.31.1.tar.xz > +sha256 d9167d801cf4aa2abca6e8f43d5d1b383e02e4d257ac1dc071802bb773ed0e2a git-2.31.2.tar.xz > # Locally calculated > sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING > sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 > diff --git a/package/git/git.mk b/package/git/git.mk > index 90b1acd6a4..0127ba5129 100644 > --- a/package/git/git.mk > +++ b/package/git/git.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > -GIT_VERSION = 2.31.1 > +GIT_VERSION = 2.31.2 > GIT_SOURCE = git-$(GIT_VERSION).tar.xz > GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git > GIT_LICENSE = GPL-2.0, LGPL-2.1+ > -- > 2.30.2
diff --git a/package/git/git.hash b/package/git/git.hash index 1db29ac457..5868fbffda 100644 --- a/package/git/git.hash +++ b/package/git/git.hash @@ -1,5 +1,5 @@ # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc -sha256 9f61417a44d5b954a5012b6f34e526a3336dcf5dd720e2bb7ada92ad8b3d6680 git-2.31.1.tar.xz +sha256 d9167d801cf4aa2abca6e8f43d5d1b383e02e4d257ac1dc071802bb773ed0e2a git-2.31.2.tar.xz # Locally calculated sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 diff --git a/package/git/git.mk b/package/git/git.mk index 90b1acd6a4..0127ba5129 100644 --- a/package/git/git.mk +++ b/package/git/git.mk @@ -4,7 +4,7 @@ # ################################################################################ -GIT_VERSION = 2.31.1 +GIT_VERSION = 2.31.2 GIT_SOURCE = git-$(GIT_VERSION).tar.xz GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git GIT_LICENSE = GPL-2.0, LGPL-2.1+
Fixes the following security issue: CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended for all users and another user created a repository in `/scratch/.git`. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user via `/scratch/.git/config`. https://www.openwall.com/lists/oss-security/2022/04/12/7 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/git/git.hash | 2 +- package/git/git.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)