mirror of
https://git.yoctoproject.org/poky
synced 2026-02-08 18:02:12 +01:00
6100383cc4
Fixes CVE-2022-39260 Git v2.38.1 Release Notes ========================= This release merges the security fix that appears in v2.30.6; see the release notes for that version for details. Excerpt from 2.30.6 release notes: * CVE-2022-39260: An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB. Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub. The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau. For 2.38.0 changes, see: https://github.com/git/git/blob/master/Documentation/RelNotes/2.38.0.txt (From OE-Core rev: b304768711374066db320fe87960be81f54a8424) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>