Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

git: 2.47.1 -> 2.47.2 #373801

Merged
merged 1 commit into from
Jan 17, 2025
Merged

git: 2.47.1 -> 2.47.2 #373801

merged 1 commit into from
Jan 17, 2025
+2 −2

Conversation

LeSuisse
Copy link
Contributor

@LeSuisse LeSuisse commented Jan 14, 2025
edited
Loading

Fixes CVE-2024-50349 and CVE-2024-52006

https://raw.githubusercontent.com/git/git/v2.47.2/Documentation/RelNotes/2.47.2.txt

    - CVE-2024-50349:

      Printing unsanitized URLs when asking for credentials makes the user
      susceptible to crafted URLs (e.g. in recursive clones). These URLs
      can mislead the user into typing in passwords for trusted sites that
      would then be sent to untrusted sites instead.

      A potential scenario of how this can be exploited is a recursive
      clone where one of the submodules prompts for a password, pretending
      to ask for a different host than the password will be sent to.

    - CVE-2024-52006:

      Git may pass on Carriage Returns via the credential protocol to
      credential helpers which use line-reading functions that interpret
      Carriage Returns as line endings, even though this is not what was
      intended (but Git’s documentation did not clarify that "newline"
      meant "Line Feed character").

      This affected the popular .NET-based Git Credential Manager, which
      has been updated accordingly in coordination with the Git project.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@LeSuisse
git: 2.47.1 -> 2.47.2
7e92703 
Fixes CVE-2024-50349 and CVE-2024-52006

https://raw.githubusercontent.com/git/git/v2.47.2/Documentation/RelNotes/2.47.2.txt

```
    - CVE-2024-50349:

      Printing unsanitized URLs when asking for credentials makes the user
      susceptible to crafted URLs (e.g. in recursive clones). These URLs
      can mislead the user into typing in passwords for trusted sites that
      would then be sent to untrusted sites instead.

      A potential scenario of how this can be exploited is a recursive
      clone where one of the submodules prompts for a password, pretending
      to ask for a different host than the password will be sent to.

    - CVE-2024-52006:

      Git may pass on Carriage Returns via the credential protocol to
      credential helpers which use line-reading functions that interpret
      Carriage Returns as line endings, even though this is not what was
      intended (but Git’s documentation did not clarify that "newline"
      meant "Line Feed character").

      This affected the popular .NET-based Git Credential Manager, which
      has been updated accordingly in coordination with the Git project.
```
@LeSuisse LeSuisse added 1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-24.11 Backport PR automatically labels Jan 14, 2025
@LeSuisse LeSuisse mentioned this pull request Jan 14, 2025
Open
13 tasks
@SuperSandro2000 SuperSandro2000 merged commit b39ee7a into NixOS:staging Jan 17, 2025
34 of 36 checks passed
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Jan 17, 2025

Successfully created backport PR for staging-24.11:

@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Jan 17, 2025
Merged
1 task
@LeSuisse LeSuisse deleted the git-2.47.2 branch January 18, 2025 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-24.11 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LeSuisse @SuperSandro2000