From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Subject: [Buildroot] [git commit branch/2022.02.x] package/git: security bump to version 2.31.2
Date: Sat, 21 May 2022 23:57:54 +0200 [thread overview]
Message-ID: <20220521214745.AB0C685DA7@busybox.osuosl.org> (raw)
commit: https://git.buildroot.net/buildroot/commit/?id=4059d9d67b17998add6970f729e0124b596e3207
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Fixes the following security issue:
CVE-2022-24765:
On multi-user machines, Git users might find themselves unexpectedly in
a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended
for all users and another user created a repository in `/scratch/.git`.
Merely having a Git-aware prompt that runs `git status` (or `git diff`)
and navigating to a directory which is supposedly not a Git worktree, or
opening such a directory in an editor or IDE such as VS Code or Atom, will
potentially run commands defined by that other user via
`/scratch/.git/config`.
https://www.openwall.com/lists/oss-security/2022/04/12/7
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 832107c6dc4b42ff35b09bfa60dddb5537821161)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/git/git.hash | 2 +-
package/git/git.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/git/git.hash b/package/git/git.hash
index 1db29ac457..5868fbffda 100644
--- a/package/git/git.hash
+++ b/package/git/git.hash
@@ -1,5 +1,5 @@
# From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc
-sha256 9f61417a44d5b954a5012b6f34e526a3336dcf5dd720e2bb7ada92ad8b3d6680 git-2.31.1.tar.xz
+sha256 d9167d801cf4aa2abca6e8f43d5d1b383e02e4d257ac1dc071802bb773ed0e2a git-2.31.2.tar.xz
# Locally calculated
sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING
sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1
diff --git a/package/git/git.mk b/package/git/git.mk
index 90b1acd6a4..0127ba5129 100644
--- a/package/git/git.mk
+++ b/package/git/git.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GIT_VERSION = 2.31.1
+GIT_VERSION = 2.31.2
GIT_SOURCE = git-$(GIT_VERSION).tar.xz
GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git
GIT_LICENSE = GPL-2.0, LGPL-2.1+
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
reply other threads:[~2022-05-21 21:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220521214745.AB0C685DA7@busybox.osuosl.org \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.