[Buildroot] [PATCH] git: security bump to version 2.16.4
peter at korsgaard.com
Tue May 29 19:46:06 UTC 2018
>>>>> "Baruch" == Baruch Siach <baruch at tkos.co.il> writes:
> Forward port of security fixes from the 2.13.7 release. The 2.13.7
> release notes say this:
> * Submodule "names" come from the untrusted .gitmodules file, but we
> blindly append them to $GIT_DIR/modules to create our on-disk repo
> paths. This means you can do bad things by putting "../" into the
> name. We now enforce some rules for submodule names which will cause
> Git to ignore these malicious names (CVE-2018-11235).
> Credit for finding this vulnerability and the proof of concept from
> which the test script was adapted goes to Etienne Stalmans.
> * It was possible to trick the code that sanity-checks paths on NTFS
> into reading random piece of memory (CVE-2018-11233).
> Cc: Matt Weber <matthew.weber at rockwellcollins.com>
> Signed-off-by: Baruch Siach <baruch at tkos.co.il>
Bye, Peter Korsgaard
More information about the buildroot