From fd5a7c532f2db75e117595089dbd6d16774cd889 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 18 May 2018 12:37:02 +0900 Subject: [PATCH] Git 2.13.7 Signed-off-by: Junio C Hamano --- Documentation/RelNotes/2.13.7.txt | 19 +++++++++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.13.7.txt diff --git a/Documentation/RelNotes/2.13.7.txt b/Documentation/RelNotes/2.13.7.txt new file mode 100644 index 0000000000..3df9b009fc --- /dev/null +++ b/Documentation/RelNotes/2.13.7.txt @@ -0,0 +1,19 @@ +Git v2.13.7 Release Notes +========================= + +Fixes since v2.13.6 +------------------- + + * Submodule "names" come from the untrusted .gitmodules file, but + we blindly append them to $GIT_DIR/modules to create our on-disk + repo paths. This means you can do bad things by putting "../" + into the name (among other things). As these are initially taken + from the path the submodule initially bound to the project and + then serve as a constant name across moving it in the directory + structure, a submodule with a name that does not pass + verify_path() check, which rejects a string with a substring + "/../" and ".git/" etc., is now ignored. + +Credit for finding this vulnerability and the proof of concept from +which the test script was adapted goes to Etienne Stalmans. Credit +for the fix goes to Jeff King, Johannes Schindelin and others. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 3db6830bed..1534654ffc 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.13.6 +DEF_VER=v2.13.7 LF=' ' diff --git a/RelNotes b/RelNotes index c2dd9dd6ad..a7f9eca981 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.13.6.txt \ No newline at end of file +Documentation/RelNotes/2.13.7.txt \ No newline at end of file