1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1108983: git: CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025

    From Salvatore Bonaccorso@21:1/5 to All on Tue Jul 8 22:20:01 2025
    Source: git
    Version: 1:2.50.0-1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    The following vulnerabilities were published for git.

    CVE-2025-27613[0], CVE-2025-27614[1], CVE-2025-46835[2],
    CVE-2025-48384[3], CVE-2025-48385[4] and CVE-2025-48386[5].

    If you fix the vulnerabilities please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-27613
    https://www.cve.org/CVERecord?id=CVE-2025-27613
    [1] https://security-tracker.debian.org/tracker/CVE-2025-27614
    https://www.cve.org/CVERecord?id=CVE-2025-27614
    [2] https://security-tracker.debian.org/tracker/CVE-2025-46835
    https://www.cve.org/CVERecord?id=CVE-2025-46835
    [3] https://security-tracker.debian.org/tracker/CVE-2025-48384
    https://www.cve.org/CVERecord?id=CVE-2025-48384
    [4] https://security-tracker.debian.org/tracker/CVE-2025-48385
    https://www.cve.org/CVERecord?id=CVE-2025-48385
    [5] https://security-tracker.debian.org/tracker/CVE-2025-48386
    https://www.cve.org/CVERecord?id=CVE-2025-48386
    [6] https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Wed Jul 30 01:10:02 2025
    Processing control commands:

    tags 1108983 + patch
    Bug #1108983 [src:git] git: CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386
    Added tag(s) patch.
    tags 1108983 + pending
    Bug #1108983 [src:git] git: CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386
    Added tag(s) pending.

    --
    1108983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Bunk@21:1/5 to All on Wed Jul 30 01:10:01 2025
    Control: tags 1108983 + patch
    Control: tags 1108983 + pending

    Dear maintainer,

    I've prepared an NMU for git (versioned as 1:2.50.1-0.1) and uploaded
    it to DELAYED/1. Please feel free to tell me if I should cancel it.

    cu
    Adrian

    diffstat for git-2.50.0 git-2.50.1

    Documentation/RelNotes/2.43.7.adoc | 73 ++
    Documentation/RelNotes/2.44.4.adoc | 7
    Documentation/RelNotes/2.45.4.adoc | 7
    Documentation/RelNotes/2.46.4.adoc | 7
    Documentation/RelNotes/2.47.3.adoc | 8
    Documentation/RelNotes/2.48.2.adoc | 8
    Documentation/RelNotes/2.49.1.adoc | 12
    Documentation/RelNotes/2.50.1.adoc | 8
    GIT-VERSION-GEN | 2
    RelNotes | 447 -----------------
    bundle-uri.c | 22
    config.c | 2
    configure | 18
    contrib/credential/wincred/git-credential-wincred.c | 22
    debian/changelog | 17
    git-gui/git-gui.sh | 510 ++++++++++----------
    git-gui/lib/blame.tcl | 12
    git-gui/lib/branch.tcl | 6
    git-gui/lib/browser.tcl | 2
    git-gui/lib/checkout_op.tcl | 25
    git-gui/lib/choose_repository.tcl | 23
    git-gui/lib/choose_rev.tcl | 8
    git-gui/lib/commit.tcl | 14
    git-gui/lib/console.tcl | 5
    git-gui/lib/database.tcl | 2
    git-gui/lib/diff.tcl | 12
    git-gui/lib/index.tcl | 8
    git-gui/lib/merge.tcl | 6
    git-gui/lib/mergetool.tcl | 8
    git-gui/lib/remote.tcl | 8
    git-gui/lib/remote_branch_delete.tcl | 2
    git-gui/lib/shortcut.tcl | 14
    git-gui/lib/sshkey.tcl | 7
    git-gui/lib/tools.tcl | 7
    git-gui/lib/win32.tcl | 9
    gitk-git/gitk | 277 ++++++----
    t/t1300-config.sh | 11
    t/t5558-clone-bundle-uri.sh | 23
    t/t7450-bad-git-dotfiles.sh | 33 +
    version | 2
    40 files changed, 793 insertions(+), 901 deletions(-)

    diff -Nru git-2.50.0/bundle-uri.c git-2.50.1/bundle-uri.c
    --- git-2.50.0/bundle-uri.c 2025-06-16 08:42:57.000000000 +0300
    +++ git-2.50.1/bundle-uri.c 2025-06-16 08:11:33.000000000 +0300
    @@ -297,6 +297,28 @@
    struct strbuf line = STRBUF_INIT;
    int found_get = 0;

    + /*
    + * The protocol we speak with git-remote-https(1) uses a space to
    + * separate between URI and file, so the URI itself must not contain a + * space. If it did, an adversary could change the location where the
    + * downloaded file is being written to.
    + *
    + * Similarly, we use newlines to separate commands from one another.
    + * Consequently, neither the URI nor the file must contain a newline or + * otherwise an adversary could inject arbitrary commands.
    + *
    + * TODO: Restricting newlines in the target paths may break valid
    + * usecases, even if those are a bit more on the esoteric side.
    + * If this ever becomes a problem we should probably think about + * alternatives. One alternative could be to use NUL-delimited
    + * requests in git-remote-htt
  • From Debian Bug Tracking System@21:1/5 to All on Thu Jul 31 01:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Wed, 30 Jul 2025 23:35:06 +0000
    with message-id <E1uhGKA-00DzM6-1r@fasolo.debian.org>
    and subject line Bug#1108983: fixed in git 1:2.50.1-0.1
    has caused the Debian Bug report #1108983,
    regarding git: CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1108983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 Jul 2025 20:10:27 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-8.6 required=4.0 tests=BAYES_00,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
    RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,
    RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 38; hammy, 128; neutral, 26; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--UD:kernel.org, 0.000-+--H*r:eldamar.lan Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]: