admin/git
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'ah/fix-open-with-stdin'

Browse Source 
This addresses CVE-2025-27614, Arbitrary command execution with Gitk:

A Git repository can be crafted in such a way that with some social
engineering a user who has cloned the repository can be tricked into
running any script (e.g., Bourne shell, Perl, Python, ...) supplied by
the attacker by invoking `gitk filename`, where `filename` has a
particular structure. The script is run with the privileges of the user.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
This commit is contained in:
Johannes Sixt
2025-05-14 18:27:05 +02:00
committed by Taylor Blau
parent 664d4fa692 8e3070aa5e
commit 4e7e3b792e
1 changed files with 3 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
gitk-git/gitk
View File

@@ -353,16 +353,6 @@ proc parseviewrevs {view revs} {
return $ret return $ret
} }
# Escapes a list of filter paths to be passed to git log via stdin. Note that
# paths must not be quoted.
proc escape_filter_paths {paths} {
set escaped [list]
foreach path $paths {
lappend escaped [string map {\\ \\\\ "\ " "\\\ "} $path]
}
return $escaped
}
# Start off a git log process and arrange to read its output # Start off a git log process and arrange to read its output
proc start_rev_list {view} { proc start_rev_list {view} {
global startmsecs commitidx viewcomplete curview global startmsecs commitidx viewcomplete curview
@@ -424,8 +414,7 @@ proc start_rev_list {view} {
if {[catch { if {[catch {
set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \ set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
--parents --boundary $args --stdin \ --parents --boundary $args --stdin \
"<<[join [concat $revs "--" \ [list "<<[join [concat $revs "--" $files] "\n"]"]] r]
[escape_filter_paths $files]] "\\n"]"] r]
} err]} { } err]} {
error_popup "[mc "Error executing git log:"] $err" error_popup "[mc "Error executing git log:"] $err"
return 0 return 0
@@ -578,9 +567,7 @@ proc updatecommits {} {
if {[catch { if {[catch {
set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \ set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
--parents --boundary $args --stdin \ --parents --boundary $args --stdin \
"<<[join [concat $revs "--" \ [list "<<[join [concat $revs "--" $vfilelimit($view)] "\n"]"]] r]
[escape_filter_paths \
$vfilelimit($view)]] "\\n"]"] r]
} err]} { } err]} {
error_popup "[mc "Error executing git log:"] $err" error_popup "[mc "Error executing git log:"] $err"
return return
@@ -10258,7 +10245,7 @@ proc getallcommits {} {
if {$ids eq "--all"} { if {$ids eq "--all"} {
set cmd [concat $cmd "--all"] set cmd [concat $cmd "--all"]
} else { } else {
set cmd [concat $cmd --stdin "<<[join $ids "\\n"]"] set cmd [concat $cmd --stdin [list "<<[join $ids "\n"]"]]
} }
set fd [open $cmd r] set fd [open $cmd r]
fconfigure $fd -blocking 0 fconfigure $fd -blocking 0