On Mon, Jan 26, 2015 at 1:35 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote: > > What is your take on CVE-2015-1196, which brought this /regression/ to > GNU patch? > If "git apply" get /fixed/ for that same CVE, would that /break/ your fix? I _think_ we allow arbitrary symlinks to be created, but then we should be careful about actually _following_ them. At least I _thought_ we were already quite careful not to do that, even if it's been a long time since I looked at the code. So even if we create a symlink to outside the repository, it normally shouldn't matter. We have that whole "lstat_cache()" thing that exists exactly to make it efficient to do pathname lookups while at the same time being aware of symlinks in the middle. Of course, our lstat cache is racy if somebody else modifies the tree concurrently and changes things, but that's a non-issue, because if somebody can just directly create random symlinks in the middle of the tree, I don't think we care about any symlinks _git_ might be creating concurrently ;) But it is entirely possible that "git apply" - especially when used outside of a real git directory - ends up doing that. And it's not like we necessarily always use the whole "lstat-cache" mechanism to begin with, so the fact that we have the infrastructure to be careful in no way means that we necessarily always _are_ careful... Linus -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html