[ubuntu/questing-proposed] git 1:2.50.0-1ubuntu3 (Accepted)

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Tue Jul 8 19:04:15 UTC 2025 

git (1:2.50.0-1ubuntu3) questing; urgency=medium

  * SECURITY UPDATE: Code execution and file manipulation when cloning
    malicious repositories.
    - debian/patches/CVE-2025-27613.patch: Add argument sanitizing and replace
      command instances with safe versions in gitk-git/gitk.
    - debian/patches/CVE-2025-27614.patch: Remove escape_filter_paths and wrap
      concat instances with list in gitk-git/gitk.
    - CVE-2025-27613
    - CVE-2025-27614
  * SECURITY UPDATE: File overwrite when editing a file in a malicious
    directory in an untrusted repository.
    - debian/patches/CVE-2025-46835-pre1.patch: Remove windows specific code
      in git-gui/git-gui.sh.
    - debian/patches/CVE-2025-46835.patch: Add argument sanitizing, replace
      command instances with safe versions, and wrap instances with list in
      git-gui/git-gui.sh and other files in git-gui directory.
    - CVE-2025-46835
  * SECURITY UPDATE: Unintentional script execution due to improperly stripped
    carriage return.
    - debian/patches/CVE-2025-48384.patch: Add carriage return checks in
      config.c.
    - CVE-2025-48384
  * SECURITY UPDATE: Protocol injection potentially leading to arbitrary code
    execution.
    - debian/patches/CVE-2025-48385.patch: Add URI and filename checks in
      bundle-uri.c.
    - CVE-2025-48385
  * SECURITY UPDATE: Buffer overflow.
    - debian/patches/CVE-2025-48386.patch: Add target_append function and
      change wcsncat calls to target_append in
      contrib/credential/wincred/git-credential-wincred.c.
    - CVE-2025-48386

Date: Tue, 08 Jul 2025 15:34:40 -0230
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/git/1:2.50.0-1ubuntu3
-------------- next part --------------
Format: 1.8
Date: Tue, 08 Jul 2025 15:34:40 -0230
Source: git
Built-For-Profiles: noudeb
Architecture: source
Version: 1:2.50.0-1ubuntu3
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Changes:
 git (1:2.50.0-1ubuntu3) questing; urgency=medium
 .
   * SECURITY UPDATE: Code execution and file manipulation when cloning
     malicious repositories.
     - debian/patches/CVE-2025-27613.patch: Add argument sanitizing and replace
       command instances with safe versions in gitk-git/gitk.
     - debian/patches/CVE-2025-27614.patch: Remove escape_filter_paths and wrap
       concat instances with list in gitk-git/gitk.
     - CVE-2025-27613
     - CVE-2025-27614
   * SECURITY UPDATE: File overwrite when editing a file in a malicious
     directory in an untrusted repository.
     - debian/patches/CVE-2025-46835-pre1.patch: Remove windows specific code
       in git-gui/git-gui.sh.
     - debian/patches/CVE-2025-46835.patch: Add argument sanitizing, replace
       command instances with safe versions, and wrap instances with list in
       git-gui/git-gui.sh and other files in git-gui directory.
     - CVE-2025-46835
   * SECURITY UPDATE: Unintentional script execution due to improperly stripped
     carriage return.
     - debian/patches/CVE-2025-48384.patch: Add carriage return checks in
       config.c.
     - CVE-2025-48384
   * SECURITY UPDATE: Protocol injection potentially leading to arbitrary code
     execution.
     - debian/patches/CVE-2025-48385.patch: Add URI and filename checks in
       bundle-uri.c.
     - CVE-2025-48385
   * SECURITY UPDATE: Buffer overflow.
     - debian/patches/CVE-2025-48386.patch: Add target_append function and
       change wcsncat calls to target_append in
       contrib/credential/wincred/git-credential-wincred.c.
     - CVE-2025-48386
Checksums-Sha1:
 98f61db23650093fb620d26665a474662f1426fe 2791 git_2.50.0-1ubuntu3.dsc
 7b666ed57b86a133b3b0bbd69f4999ce940d265a 832408 git_2.50.0-1ubuntu3.debian.tar.xz
 1fc211bd982deb030501d575fe84b090a042dbf8 10017 git_2.50.0-1ubuntu3_source.buildinfo
Checksums-Sha256:
 05ac5f3f1287dbee732f0025794a43d0c0a739cdcca23b5f38c96ad60adda23c 2791 git_2.50.0-1ubuntu3.dsc
 79b2434db9803b0fca7880f1b2e1584f5874c6e70e3e95c0439b147c30f7e26a 832408 git_2.50.0-1ubuntu3.debian.tar.xz
 6f6a85a8e38274549f3ff33a7e73a2784e41620e3ff214376b4b18b773da7225 10017 git_2.50.0-1ubuntu3_source.buildinfo
Files:
 b34c1698b60c9826b91a0054821255e3 2791 vcs optional git_2.50.0-1ubuntu3.dsc
 e05ac3213a0e6b2d098d6b43b7408cc5 832408 vcs optional git_2.50.0-1ubuntu3.debian.tar.xz
 0b9106798db70cbf2fb2320f4637650c 10017 vcs optional git_2.50.0-1ubuntu3_source.buildinfo
Original-Maintainer: Jonathan Nieder <jrnieder at gmail.com>

More information about the Questing-changes mailing list