On Tue, Apr 12, 2022 at 10:01:21AM -0700, Junio C Hamano wrote: > The latest maintenance release Git v2.35.2, together with releases > for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and > v2.34.2, are now available at the usual places. > > These maintenance releases are to address the security issues > described in CVE-2022-24765. Please update at your earliest > opportunity. > > The tarballs are found at: > > https://www.kernel.org/pub/software/scm/git/ > > The following public repositories all have a copy of the 'v2.35.2', > 'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags. > > url = https://git.kernel.org/pub/scm/git/git > url = https://kernel.googlesource.com/pub/scm/git/git > url = https://github.com/gitster/git > > CVE-2022-24765: > On multi-user machines, Git users might find themselves > unexpectedly in a Git worktree, e.g. when another user created a > repository in `C:\.git`, in a mounted network drive or in a > scratch space. Merely having a Git-aware prompt that runs `git > status` (or `git diff`) and navigating to a directory which is > supposedly not a Git worktree, or opening such a directory in an > editor or IDE such as VS Code or Atom, will potentially run > commands defined by that other user. > > Credit for finding this vulnerability goes to 俞晨东; the fix was > authored by Johannes Schindelin. This fix causes trouble when attempting to 'sudo make install' any non-tagged Git revision: $ git checkout v2.36.0-rc2 HEAD is now at 11cfe55261 Git 2.36-rc2 $ git commit --allow-empty -m foo [detached HEAD 237ee2a6ef] foo $ make GIT_VERSION = 2.36.0.rc2.1.g237ee2a6ef [...] $ sudo make install GIT_VERSION = 2.36.0-rc2 CC version.o
