From b4ec1573e11448e88667665b22692f351f135b9f Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Sat, 4 Mar 2023 20:11:10 +0100 Subject: [PATCH] package/git: security bump to version 2.31.7 Fixes the following security issues: * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. * CVE-2023-23946: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". For more details, see the announcement: https://lore.kernel.org/git/xmqqr0us5dio.fsf@gitster.g/ Signed-off-by: Peter Korsgaard --- package/git/git.hash | 2 +- package/git/git.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/git/git.hash b/package/git/git.hash index 9a472b49ec..90e43aed80 100644 --- a/package/git/git.hash +++ b/package/git/git.hash @@ -1,5 +1,5 @@ # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc -sha256 e0fa851e4ccb990c57793a3cfcbf7c8981fbacab175025ea15db9ecd57434cee git-2.31.6.tar.xz +sha256 30674629605a12d3ef4f9c752d5561862f04a48952b1799b9815f9884e4e0f6d git-2.31.7.tar.xz # Locally calculated sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 diff --git a/package/git/git.mk b/package/git/git.mk index 0b4e93a8b6..581f194807 100644 --- a/package/git/git.mk +++ b/package/git/git.mk @@ -4,7 +4,7 @@ # ################################################################################ -GIT_VERSION = 2.31.6 +GIT_VERSION = 2.31.7 GIT_SOURCE = git-$(GIT_VERSION).tar.xz GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git GIT_LICENSE = GPL-2.0, LGPL-2.1+