[Buildroot] [PATCH] git: security bump to version 2.16.4

Peter Korsgaard peter at korsgaard.com
Tue May 29 19:46:06 UTC 2018


>>>>> "Baruch" == Baruch Siach <baruch at tkos.co.il> writes:

 > Forward port of security fixes from the 2.13.7 release. The 2.13.7
 > release notes say this:

 >  * Submodule "names" come from the untrusted .gitmodules file, but we
 >    blindly append them to $GIT_DIR/modules to create our on-disk repo
 >    paths. This means you can do bad things by putting "../" into the
 >    name. We now enforce some rules for submodule names which will cause
 >    Git to ignore these malicious names (CVE-2018-11235).

 >    Credit for finding this vulnerability and the proof of concept from
 >    which the test script was adapted goes to Etienne Stalmans.

 >  * It was possible to trick the code that sanity-checks paths on NTFS
 >    into reading random piece of memory (CVE-2018-11233).

 > Cc: Matt Weber <matthew.weber at rockwellcollins.com>
 > Signed-off-by: Baruch Siach <baruch at tkos.co.il>

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list