| commit | 9e65df5eab274bf74c7b570107aacd1303a1e703 | |
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Fri, 12 Apr 2024 22:28:19 +0000 (13 00:28 +0200) | ||
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Fri, 19 Apr 2024 10:38:32 +0000 (19 12:38 +0200) | ||
| tree | dcb37ff85f47139aba0a39b166feda0a4dd87497 | treesnapshot (tar.gz zip) |
| parent | 2b3d38a6b12ffc949c98eaacd67e8e383c847529 | commitdiff |
| parent | 1204e1a824c34071019fe106348eaa6d88f9528d | commitdiff |
Merge branch 'ownership-checks-in-local-clones'
This topic addresses two CVEs:
- CVE-2024-32020:
Local clones may end up hardlinking files into the target repository's
object database when source and target repository reside on the same
disk. If the source repository is owned by a different user, then
those hardlinked files may be rewritten at any point in time by the
untrusted user.
- CVE-2024-32021:
When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/
directory.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
This topic addresses two CVEs:
- CVE-2024-32020:
Local clones may end up hardlinking files into the target repository's
object database when source and target repository reside on the same
disk. If the source repository is owned by a different user, then
those hardlinked files may be rewritten at any point in time by the
untrusted user.
- CVE-2024-32021:
When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/
directory.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| builtin/clone.c | diff1 | diff2 | blobhistory |