b4ec1573e1
Fixes the following security issues: * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. * CVE-2023-23946: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". For more details, see the announcement: https://lore.kernel.org/git/xmqqr0us5dio.fsf@gitster.g/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| .. | ||
| 0001-Fix-build-without-threads.patch | ||
| Config.in | ||
| git.hash | ||
| git.mk | ||