From 832107c6dc4b42ff35b09bfa60dddb5537821161 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Wed, 13 Apr 2022 14:42:52 +0200 Subject: [PATCH] package/git: security bump to version 2.31.2 Fixes the following security issue: CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended for all users and another user created a repository in `/scratch/.git`. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user via `/scratch/.git/config`. https://www.openwall.com/lists/oss-security/2022/04/12/7 Signed-off-by: Peter Korsgaard --- package/git/git.hash | 2 +- package/git/git.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/git/git.hash b/package/git/git.hash index 1db29ac457..5868fbffda 100644 --- a/package/git/git.hash +++ b/package/git/git.hash @@ -1,5 +1,5 @@ # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc -sha256 9f61417a44d5b954a5012b6f34e526a3336dcf5dd720e2bb7ada92ad8b3d6680 git-2.31.1.tar.xz +sha256 d9167d801cf4aa2abca6e8f43d5d1b383e02e4d257ac1dc071802bb773ed0e2a git-2.31.2.tar.xz # Locally calculated sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 diff --git a/package/git/git.mk b/package/git/git.mk index 90b1acd6a4..0127ba5129 100644 --- a/package/git/git.mk +++ b/package/git/git.mk @@ -4,7 +4,7 @@ # ################################################################################ -GIT_VERSION = 2.31.1 +GIT_VERSION = 2.31.2 GIT_SOURCE = git-$(GIT_VERSION).tar.xz GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git GIT_LICENSE = GPL-2.0, LGPL-2.1+