Dear Git Development team Hi. Recently, I noted that the vulnerability patch (CVE-2020-5260) for "git credential" is not applied in the "git-credential-libsecret" program (./contrib/credential/libsecret/git-credential-libsecret.c). Actually, I'm not sure whether "git-credential-libsecret" is actually used. But it can be potentially intimidating, thus it would be good to apply the same patch of "git credential" to "git-credential-libsecret". - Patch for CVE-2020-5260 * https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b - Similar but not patched code in "git-credential-libsecret" * https://github.com/git/git/blob/master/contrib/credential/libsecret/git-credential-libsecret.c#L306-L311 * When I put the malicious URL in the test code shown in the CVE-2020-5260 patch into "git-credential-libsecret", it does not terminate. Could you please check whether this is an actual bug? Thank you. Best regards, Seunghoon Woo -- Best regards, Seunghoon Woo Korea University Dept. of Computer Science and Engineering Computer & Communication Security Lab. seunghoonwoo@xxxxxxxxxxx (+82)10-8147-9308
