ae1f047295
Forward port of security fixes from the 2.13.7 release. The 2.13.7 release notes say this: * Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. * It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233). Cc: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| .. | ||
| Config.in | ||
| git.hash | ||
| git.mk | ||