diff options
author | Tim Orling <ticotimo@gmail.com> | 2022-10-24 10:07:20 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-10-26 12:28:40 +0100 |
commit | 6100383cc4695d667137ce278406dea10e241339 (patch) | |
tree | 3d00a0c1f97a2dc957498198f84504a248c6ce21 /meta/recipes-devtools/git | |
parent | 262f44fd2877dab9aa9eadb614cc6f82095ffcae (diff) | |
download | poky-6100383cc4695d667137ce278406dea10e241339.tar.gz |
git: upgrade 2.37.3 -> 2.38.1
Fixes CVE-2022-39260
Git v2.38.1 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.
Excerpt from 2.30.6 release notes:
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.
For 2.38.0 changes, see:
https://github.com/git/git/blob/master/Documentation/RelNotes/2.38.0.txt
(From OE-Core rev: b304768711374066db320fe87960be81f54a8424)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/git')
-rw-r--r-- | meta/recipes-devtools/git/git_2.38.1.bb (renamed from meta/recipes-devtools/git/git_2.37.3.bb) | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/meta/recipes-devtools/git/git_2.37.3.bb b/meta/recipes-devtools/git/git_2.38.1.bb index 2eed85e807..033e36ae16 100644 --- a/meta/recipes-devtools/git/git_2.37.3.bb +++ b/meta/recipes-devtools/git/git_2.38.1.bb | |||
@@ -165,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ | |||
165 | " | 165 | " |
166 | EXTRA_OEMAKE += "NO_GETTEXT=1" | 166 | EXTRA_OEMAKE += "NO_GETTEXT=1" |
167 | 167 | ||
168 | SRC_URI[tarball.sha256sum] = "181f65587155ea48c682f63135678ec53055adf1532428752912d356e46b64a8" | 168 | SRC_URI[tarball.sha256sum] = "620ed3df572a34e782a2be4c7d958d443469b2665eac4ae33f27da554d88b270" |