From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dalaran.tastycake.net (dalaran.tastycake.net [IPv6:2001:ba8:0:1c0::1:1]) by sourceware.org (Postfix) with ESMTPS id B58B4383A346 for ; Wed, 13 Jul 2022 13:42:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B58B4383A346 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=dinwoodie.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=dinwoodie.org Received: from c.a.1.d.d.f.6.c.f.8.d.f.b.e.b.6.d.a.0.2.5.1.e.d.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:de15:20ad:6beb:fd8f:c6fd:d1ac] helo=lucy.dinwoodie.org) by dalaran.tastycake.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oBcdY-0000np-Mm for cygwin-announce@cygwin.com; Wed, 13 Jul 2022 14:42:44 +0100 Received: from adam by lucy.dinwoodie.org with local (Exim 4.94.2) (envelope-from ) id 1oBcdW-003oMt-UB for cygwin-announce@cygwin.com; Wed, 13 Jul 2022 14:42:42 +0100 Date: Wed, 13 Jul 2022 14:42:42 +0100 From: Adam Dinwoodie To: cygwin-announce@cygwin.com Subject: Security update: Git v2.37.1 Message-ID: <20220713134242.gu6qlk5zfo5mhq3b@lucy.dinwoodie.org> Reply-To: cygwin@cygwin.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_NUMSUBJECT, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin-announce@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Read-only mailing list announcing new and updated Cygwin packages List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2022 13:42:48 -0000 Version 2.37.1-1 of Git has been uploaded to the Cygwin distribution servers, and should be coming soon to a mirror near you. Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. This is an update to the latest upstream release, and includes the following packages: - git - git-cvs - git-debuginfo - git-email - git-gui - gitk - git-p4 - git-svn >From the upstream changelog: > Fixes since Git 2.37 > -------------------- > > * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't > correctly record a removed file to the index, which is an old > regression but has become widely known because the C version has > become the default in the latest release. > > * Fix for CVS-2022-29187. For context, I understand CVE-2022-29187 (which I think is what the above is supposed to refer to...) to be an issue around running Git hooks owned by other users; selecting from the relevant commit message: > [The fix for CVE-2022-24765 in Cygwin Git v2.35.3-1 added] > a function to check for ownership of > repositories using a directory that is representative of it, and ways to > add exempt a specific repository from said check if needed, but that > check didn't account for owership of the gitdir, or (when used) the > gitfile that points to that gitdir. > > An attacker could create a git repository in a directory that they can > write into but that is owned by the victim to work around the fix that > was introduced with CVE-2022-24765 to potentially run code as the > victim. > > An example that could result in privilege escalation to root in *NIX would > be to set a repository in a shared tmp directory by doing (for example): > > $ git -C /tmp init For a full list of the upstream changes in this release, please refer to the upstream changelogs: https://git.kernel.org/cgit/git/git.git/tree/Documentation/RelNotes https://kernel.googlesource.com/pub/scm/git/git.git/+/master/Documentation/RelNotes/ https://github.com/git/git/tree/master/Documentation/RelNotes Enjoy!