admin/git
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'js/fix-open-exec'

Browse Source 
This addresses CVE-2025-46835, Git GUI can create and overwrite a
user's files:

When a user clones an untrusted repository and is tricked into editing
a file located in a maliciously named directory in the repository, then
Git GUI can create and overwrite files for which the user has write
permission.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
This commit is contained in:
Johannes Sixt
2025-05-20 08:56:09 +02:00
committed by Taylor Blau
parent a7d1716fa6 a437f5bc93
commit 311d9ada3a
20 changed files with 217 additions and 233 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
git-gui/lib/tools.tcl
View File

@@ -130,8 +130,7 @@ proc tools_exec {fullname} {
}
proc tools_run_silent {cmd after} {
lappend cmd 2>@1
set fd [_open_stdout_stderr $cmd]
set fd [safe_open_command $cmd [list 2>@1]]
fconfigure $fd -blocking 0 -translation binary
fileevent $fd readable [list tools_consume_input $fd $after]