Sync with Git 2.13.7
* maint-2.13:
Git 2.13.7
verify_path: disallow symlinks in .gitmodules
update-index: stat updated files earlier
verify_dotfile: mention case-insensitivity in comment
verify_path: drop clever fallthrough
skip_prefix: add case-insensitive variant
is_{hfs,ntfs}_dotgitmodules: add tests
is_ntfs_dotgit: match other .git files
is_hfs_dotgit: match other .git files
is_ntfs_dotgit: use a size_t for traversing string
submodule-config: verify submodule names as paths
This commit is contained in:
Junio C Hamano
20
Documentation/RelNotes/2.13.7.txt
Normal file
20
Documentation/RelNotes/2.13.7.txt
Normal file
@ -0,0 +1,20 @@
|
||||
Git v2.13.7 Release Notes
|
||||
=========================
|
||||
|
||||
Fixes since v2.13.6
|
||||
-------------------
|
||||
|
||||
* Submodule "names" come from the untrusted .gitmodules file, but we
|
||||
blindly append them to $GIT_DIR/modules to create our on-disk repo
|
||||
paths. This means you can do bad things by putting "../" into the
|
||||
name. We now enforce some rules for submodule names which will cause
|
||||
Git to ignore these malicious names (CVE-2018-11235).
|
||||
|
||||
Credit for finding this vulnerability and the proof of concept from
|
||||
which the test script was adapted goes to Etienne Stalmans.
|
||||
|
||||
* It was possible to trick the code that sanity-checks paths on NTFS
|
||||
into reading random piece of memory (CVE-2018-11233).
|
||||
|
||||
Credit for fixing for these bugs goes to Jeff King, Johannes
|
||||
Schindelin and others.
|
||||
Reference in New Issue
Block a user