[SECURITY] [DLA 4323-1] git security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4323-1] git security update
From: Andrej Shadura <andrewsh@debian.org>
Date: Mon, 6 Oct 2025 14:15:20 +0200
Message-id: <[🔎] 20251006121522.167086-1-andrewsh@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4323-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Andrej Shadura
October 06, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : git
Version        : 1:2.30.2-1+deb11u5
CVE ID         : CVE-2025-27613 CVE-2025-46835 CVE-2025-48384

CVE-2025-27613

    With Gitk, the Git history browser, when a user clones an untrusted
    repository and runs gitk without additional command arguments,
    files for which the user has write permission can be created and
    truncated. The option Support per-file encoding must have been enabled
    before in Gitk's Preferences. This option is disabled by default. The
    same happens when Show origin of this line is used in the main window
    (regardless of whether Support per-file encoding is enabled or not).

CVE-2025-46835

    When a user clones an untrusted repository and is tricked into editing
    a file located in a maliciously named directory in the repository,
    then Git GUI can create and overwrite files for which the user has
    write permission.

CVE-2025-48384

    When reading a config value, Git strips any trailing carriage return
    and line feed (CRLF). When writing a config entry, values with a
    trailing CR are not quoted, causing the CR to be lost when the config
    is later read. When initializing a submodule, if the submodule path
    contains a trailing CR, the altered path is read resulting in the
    submodule being checked out to an incorrect location. If a symlink
    exists that points the altered path to the submodule hooks directory,
    and the submodule contains an executable post-checkout hook, the
    script may be unintentionally executed after checkout.

For Debian 11 bullseye, these problems have been fixed in version
1:2.30.2-1+deb11u5.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaOOyFwAKCRDoRGtKyMdy
YSiPAP9Pf15FbleqiMbr36UgD4qAQST/auYS6Nn0OtScTkBsPgD8CCv+DyBjbBbc
ZJUnTfMdKSeAFvH9jTVeTgQChNbucA4=
=Wzzd
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4322-1] log4cxx security update
Previous by thread: [SECURITY] [DLA 4322-1] log4cxx security update
Index(es):
- Date
- Thread