mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

git: fix CVE-2025-48384

Browse Source 
Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations
and full access to internals. When reading a config value, Git strips
any trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the CR
to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the altered
path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path
to the submodule hooks directory, and the submodule contains an
executable post-checkout hook, the script may be unintentionally
executed after checkout. This vulnerability is fixed in v2.43.7,
v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-48384

Upstream-patch:
https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89

(From OE-Core rev: 34cb9674a5ce337a75af0dc415706d0323c427a6)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Praveen Kumar
2025-09-01 12:58:38 +05:30
committed by Steve Sakoman
parent 7e420c5834
commit e271e3cf36
2 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/git/git/CVE-2025-48384.patch
+85
View File
@@ -0,0 +1,85 @@
From 05e9cd64ee23bbadcea6bcffd6660ed02b8eab89 Mon Sep 17 00:00:00 2001
From: Justin Tobler <jltobler@gmail.com>
Date: Mon, 19 May 2025 21:26:04 -0500
Subject: [PATCH] config: quote values containing CR character
When reading the config, values that contain a trailing CRLF are
stripped. If the value itself has a trailing CR, the normal LF that
follows results in the CR being unintentionally stripped. This may lead
to unintended behavior due to the config value written being different
when it gets read.
One such issue involves a repository with a submodule path containing a
trailing CR. When the submodule gets initialized, the submodule is
cloned without being checked out and has "core.worktree" set to the
submodule path. The git-checkout(1) that gets spawned later reads the
"core.worktree" config value, but without the trailing CR, and
consequently attempts to checkout to a different path than intended.
If the repository contains a matching path that is a symlink, it is
possible for the submodule repository to be checked out in arbitrary
locations. This is extra bad when the symlink points to the submodule
hooks directory and the submodule repository contains an executable
"post-checkout" hook. Once the submodule repository checkout completes,
the "post-checkout" hook immediately executes.
To prevent mismatched config state due to misinterpreting a trailing CR,
wrap config values containing CR in double quotes when writing the
entry. This ensures a trailing CR is always separated for an LF and thus
prevented from getting stripped.
Note that this problem cannot be addressed by just quoting each CR with
"\r". The reading side of the config interprets only a few backslash
escapes, and "\r" is not among them. This fix is sufficient though
because it only affects the CR at the end of a line and any literal CR
in the interior is already preserved.
Co-authored-by: David Leadbeater <dgl@dgl.cx>
Signed-off-by: Justin Tobler <jltobler@gmail.com>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
CVE: CVE-2025-48384
Upstream-Status: Backport [https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89]
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
config.c | 2 +-
t/t1300-config.sh | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/config.c b/config.c
index 6a01938..4fbff51 100644
--- a/config.c
+++ b/config.c
@@ -2756,7 +2756,7 @@ static ssize_t write_pair(int fd, const char *key, const char *value,
if (value[0] == ' ')
quote = "\"";
for (i = 0; value[i]; i++)
- if (value[i] == ';' || value[i] == '#')
+ if (value[i] == ';' || value[i] == '#' || value[i] == '\r')
quote = "\"";
if (i && value[i - 1] == ' ')
quote = "\"";
diff --git a/t/t1300-config.sh b/t/t1300-config.sh
index b07feb1..49f4971 100755
--- a/t/t1300-config.sh
+++ b/t/t1300-config.sh
@@ -2417,5 +2417,15 @@ test_expect_success '--get and --get-all with --fixed-value' '
git config --file=config --get-regexp --fixed-value fixed+ "$META" &&
test_must_fail git config --file=config --get-regexp --fixed-value fixed+ non-existent
'
+test_expect_success 'writing value with trailing CR not stripped on read' '
+ test_when_finished "rm -rf cr-test" &&
+
+ printf "bar\r\n" >expect &&
+ git init cr-test &&
+ git -C cr-test config set core.foo $(printf "bar\r") &&
+ git -C cr-test config get core.foo >actual &&
+
+ test_cmp expect actual
+'
test_done
--
2.40.0
meta/recipes-devtools/git/git_2.35.7.bb
+1
View File
@@ -27,6 +27,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
file://CVE-2024-50349-0002.patch \ file://CVE-2024-50349-0002.patch \
file://CVE-2024-52006.patch \ file://CVE-2024-52006.patch \
file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \ file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
file://CVE-2025-48384.patch \
" "
S = "${WORKDIR}/git-${PV}" S = "${WORKDIR}/git-${PV}"