public inbox for cygwin-announce@cygwin.com
 help / color / mirror / Atom feed
From: Adam Dinwoodie <adam@dinwoodie.org>
To: cygwin-announce@cygwin.com
Subject: Security update: Git v2.37.1
Date: Wed, 13 Jul 2022 14:42:42 +0100	[thread overview]
Message-ID: <20220713134242.gu6qlk5zfo5mhq3b@lucy.dinwoodie.org> (raw)

Version 2.37.1-1 of Git has been uploaded to the Cygwin distribution
servers, and should be coming soon to a mirror near you.

Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.

This is an update to the latest upstream release, and includes the
following packages:

- git
- git-cvs
- git-debuginfo
- git-email
- git-gui
- gitk
- git-p4
- git-svn

From the upstream changelog:

> Fixes since Git 2.37
> --------------------
> 
>  * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't
>    correctly record a removed file to the index, which is an old
>    regression but has become widely known because the C version has
>    become the default in the latest release.
> 
>  * Fix for CVS-2022-29187.

For context, I understand CVE-2022-29187 (which I think is what the
above is supposed to refer to...) to be an issue around running Git
hooks owned by other users; selecting from the relevant commit message:

> [The fix for CVE-2022-24765 in Cygwin Git v2.35.3-1 added]
> a function to check for ownership of
> repositories using a directory that is representative of it, and ways to
> add exempt a specific repository from said check if needed, but that
> check didn't account for owership of the gitdir, or (when used) the
> gitfile that points to that gitdir.
> 
> An attacker could create a git repository in a directory that they can
> write into but that is owned by the victim to work around the fix that
> was introduced with CVE-2022-24765 to potentially run code as the
> victim.
> 
> An example that could result in privilege escalation to root in *NIX would
> be to set a repository in a shared tmp directory by doing (for example):
> 
>   $ git -C /tmp init

For a full list of the upstream changes in this release, please refer to
the upstream changelogs:

https://git.kernel.org/cgit/git/git.git/tree/Documentation/RelNotes
https://kernel.googlesource.com/pub/scm/git/git.git/+/master/Documentation/RelNotes/
https://github.com/git/git/tree/master/Documentation/RelNotes

Enjoy!

                 reply	other threads:[~2022-07-13 13:42 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220713134242.gu6qlk5zfo5mhq3b@lucy.dinwoodie.org \
    --to=adam@dinwoodie.org \
    --cc=cygwin-announce@cygwin.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).