git: upgrade 2.37.3 -> 2.38.1

mirror of https://git.yoctoproject.org/poky synced 2026-05-08 17:19:20 +00:00

Fixes CVE-2022-39260

Git v2.38.1 Release Notes
=========================

This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

Excerpt from 2.30.6 release notes:

 * CVE-2022-39260:
   An overly-long command string given to `git shell` can result in
   overflow in `split_cmdline()`, leading to arbitrary heap writes and
   remote code execution when `git shell` is exposed and the directory
   `$HOME/git-shell-commands` exists.

   `git shell` is taught to refuse interactive commands that are
   longer than 4MiB in size. `split_cmdline()` is hardened to reject
   inputs larger than 2GiB.

Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.

For 2.38.0 changes, see:
https://github.com/git/git/blob/master/Documentation/RelNotes/2.38.0.txt

(From OE-Core rev: b304768711374066db320fe87960be81f54a8424)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

This commit is contained in:

Tim Orling

2022-10-24 10:07:20 -07:00

committed by

Richard Purdie

parent 262f44fd28

commit 6100383cc4

1 changed files with 1 additions and 1 deletions

									
										meta/recipes-devtools/git/git_2.37.3.bb → meta/recipes-devtools/git/git_2.38.1.bb
									
		+1
		-1
	
												View File
												
				@@ -165,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \

				                 "

				EXTRA_OEMAKE += "NO_GETTEXT=1"

				SRC_URI[tarball.sha256sum] = "181f65587155ea48c682f63135678ec53055adf1532428752912d356e46b64a8"

				SRC_URI[tarball.sha256sum] = "620ed3df572a34e782a2be4c7d958d443469b2665eac4ae33f27da554d88b270"