git: fix CVE-2025-48384

Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations
and full access to internals. When reading a config value, Git strips
any trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the CR
to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the altered
path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path
to the submodule hooks directory, and the submodule contains an
executable post-checkout hook, the script may be unintentionally
executed after checkout. This vulnerability is fixed in v2.43.7,
v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-48384

Upstream-patch:
https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89

(From OE-Core rev: 34cb9674a5ce337a75af0dc415706d0323c427a6)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2 files changed, 86 insertions, 0 deletions

diff --git a/meta/recipes-devtools/git/git/CVE-2025-48384.patch b/meta/recipes-devtools/git/git/CVE-2025-48384.patch
new file mode 100644
index 0000000000..6c21a3c352
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2025-48384.patch
@@ -0,0 +1,85 @@
+From 05e9cd64ee23bbadcea6bcffd6660ed02b8eab89 Mon Sep 17 00:00:00 2001
+From: Justin Tobler <jltobler@gmail.com>
+Date: Mon, 19 May 2025 21:26:04 -0500
+Subject: [PATCH] config: quote values containing CR character
+
+When reading the config, values that contain a trailing CRLF are
+stripped. If the value itself has a trailing CR, the normal LF that
+follows results in the CR being unintentionally stripped. This may lead
+to unintended behavior due to the config value written being different
+when it gets read.
+
+One such issue involves a repository with a submodule path containing a
+trailing CR. When the submodule gets initialized, the submodule is
+cloned without being checked out and has "core.worktree" set to the
+submodule path. The git-checkout(1) that gets spawned later reads the
+"core.worktree" config value, but without the trailing CR, and
+consequently attempts to checkout to a different path than intended.
+
+If the repository contains a matching path that is a symlink, it is
+possible for the submodule repository to be checked out in arbitrary
+locations. This is extra bad when the symlink points to the submodule
+hooks directory and the submodule repository contains an executable
+"post-checkout" hook. Once the submodule repository checkout completes,
+the "post-checkout" hook immediately executes.
+
+To prevent mismatched config state due to misinterpreting a trailing CR,
+wrap config values containing CR in double quotes when writing the
+entry. This ensures a trailing CR is always separated for an LF and thus
+prevented from getting stripped.
+
+Note that this problem cannot be addressed by just quoting each CR with
+"\r". The reading side of the config interprets only a few backslash
+escapes, and "\r" is not among them. This fix is sufficient though
+because it only affects the CR at the end of a line and any literal CR
+in the interior is already preserved.
+
+Co-authored-by: David Leadbeater <dgl@dgl.cx>
+Signed-off-by: Justin Tobler <jltobler@gmail.com>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+CVE: CVE-2025-48384
+
+Upstream-Status: Backport [https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ config.c          |  2 +-
+ t/t1300-config.sh | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/config.c b/config.c
+index 6a01938..4fbff51 100644
+--- a/config.c
++++ b/config.c
+@@ -2756,7 +2756,7 @@ static ssize_t write_pair(int fd, const char *key, const char *value,
+        if (value[0] == ' ')
+                quote = "\"";
+        for (i = 0; value[i]; i++)
+-               if (value[i] == ';' || value[i] == '#')
++               if (value[i] == ';' || value[i] == '#' || value[i] == '\r')
+                        quote = "\"";
+        if (i && value[i - 1] == ' ')
+                quote = "\"";
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index b07feb1..49f4971 100755
+--- a/t/t1300-config.sh
++++ b/t/t1300-config.sh
+@@ -2417,5 +2417,15 @@ test_expect_success '--get and --get-all with --fixed-value' '
+        git config --file=config --get-regexp --fixed-value fixed+ "$META" &&
+        test_must_fail git config --file=config --get-regexp --fixed-value fixed+ non-existent
+ '
++test_expect_success 'writing value with trailing CR not stripped on read' '
++       test_when_finished "rm -rf cr-test" &&
++
++       printf "bar\r\n" >expect &&
++       git init cr-test &&
++       git -C cr-test config set core.foo $(printf "bar\r") &&
++       git -C cr-test config get core.foo >actual &&
++
++       test_cmp expect actual
++'
+
+ test_done
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index 3520b4db90..2079c3ddc8 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -27,6 +27,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            file://CVE-2024-50349-0002.patch \
            file://CVE-2024-52006.patch \
            file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
+           file://CVE-2025-48384.patch \
            "
 
 S = "${WORKDIR}/git-${PV}"