2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2025-48384.patch b/meta/recipes-devtools/git/git/CVE-2025-48384.patch
new file mode 100644
index 0000000000..6c21a3c352
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2025-48384.patch
@@ -0,0 +1,85 @@
+From 05e9cd64ee23bbadcea6bcffd6660ed02b8eab89 Mon Sep 17 00:00:00 2001
+From: Justin Tobler <jltobler@gmail.com>
+Date: Mon, 19 May 2025 21:26:04 -0500
+Subject: [PATCH] config: quote values containing CR character
+When reading the config, values that contain a trailing CRLF are
+stripped. If the value itself has a trailing CR, the normal LF that
+follows results in the CR being unintentionally stripped. This may lead
+to unintended behavior due to the config value written being different
+when it gets read.
+One such issue involves a repository with a submodule path containing a
+trailing CR. When the submodule gets initialized, the submodule is
+cloned without being checked out and has "core.worktree" set to the
+submodule path. The git-checkout(1) that gets spawned later reads the
+"core.worktree" config value, but without the trailing CR, and
+consequently attempts to checkout to a different path than intended.
+If the repository contains a matching path that is a symlink, it is
+possible for the submodule repository to be checked out in arbitrary
+locations. This is extra bad when the symlink points to the submodule
+hooks directory and the submodule repository contains an executable
+"post-checkout" hook. Once the submodule repository checkout completes,
+the "post-checkout" hook immediately executes.
+To prevent mismatched config state due to misinterpreting a trailing CR,
+wrap config values containing CR in double quotes when writing the
+entry. This ensures a trailing CR is always separated for an LF and thus
+prevented from getting stripped.
+Note that this problem cannot be addressed by just quoting each CR with
+"\r". The reading side of the config interprets only a few backslash
+escapes, and "\r" is not among them. This fix is sufficient though
+because it only affects the CR at the end of a line and any literal CR
+in the interior is already preserved.
+Co-authored-by: David Leadbeater <dgl@dgl.cx>
+Signed-off-by: Justin Tobler <jltobler@gmail.com>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+CVE: CVE-2025-48384
+Upstream-Status: Backport [https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ config.c          |  2 +-
+ t/t1300-config.sh | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+diff --git a/config.c b/config.c
+index 6a01938..4fbff51 100644
+--- a/config.c
+++ b/config.c
+@@ -2756,7 +2756,7 @@ static ssize_t write_pair(int fd, const char *key, const char *value,
+        if (value[0] == ' ')
+                quote = "\"";
+        for (i = 0; value[i]; i++)
+-               if (value[i] == ';' || value[i] == '#')
+               if (value[i] == ';' || value[i] == '#' || value[i] == '\r')
+                        quote = "\"";
+        if (i && value[i - 1] == ' ')
+                quote = "\"";
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index b07feb1..49f4971 100755
+--- a/t/t1300-config.sh
+++ b/t/t1300-config.sh
+@@ -2417,5 +2417,15 @@ test_expect_success '--get and --get-all with --fixed-value' '
+        git config --file=config --get-regexp --fixed-value fixed+ "$META" &&
+        test_must_fail git config --file=config --get-regexp --fixed-value fixed+ non-existent
+ '
+test_expect_success 'writing value with trailing CR not stripped on read' '
+       test_when_finished "rm -rf cr-test" &&
+
+       printf "bar\r\n" >expect &&
+       git init cr-test &&
+       git -C cr-test config set core.foo $(printf "bar\r") &&
+       git -C cr-test config get core.foo >actual &&
+
+       test_cmp expect actual
+'
+ test_done
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index 3520b4db90..2079c3ddc8 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -27,6 +27,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
           file://CVE-2024-50349-0002.patch \
           file://CVE-2024-52006.patch \
           file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
+           file://CVE-2025-48384.patch \
           "
 S = "${WORKDIR}/git-${PV}"

diff --git a/meta/recipes-devtools/git/git/CVE-2025-48384.patch b/meta/recipes-devtools/git/git/CVE-2025-48384.patch new file mode 100644 index 0000000000..6c21a3c352 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2025-48384.patch
@@ -0,0 +1,85 @@
		1	From 05e9cd64ee23bbadcea6bcffd6660ed02b8eab89 Mon Sep 17 00:00:00 2001
		2	From: Justin Tobler <jltobler@gmail.com>
		3	Date: Mon, 19 May 2025 21:26:04 -0500
		4	Subject: [PATCH] config: quote values containing CR character
		5
		6	When reading the config, values that contain a trailing CRLF are
		7	stripped. If the value itself has a trailing CR, the normal LF that
		8	follows results in the CR being unintentionally stripped. This may lead
		9	to unintended behavior due to the config value written being different
		10	when it gets read.
		11
		12	One such issue involves a repository with a submodule path containing a
		13	trailing CR. When the submodule gets initialized, the submodule is
		14	cloned without being checked out and has "core.worktree" set to the
		15	submodule path. The git-checkout(1) that gets spawned later reads the
		16	"core.worktree" config value, but without the trailing CR, and
		17	consequently attempts to checkout to a different path than intended.
		18
		19	If the repository contains a matching path that is a symlink, it is
		20	possible for the submodule repository to be checked out in arbitrary
		21	locations. This is extra bad when the symlink points to the submodule
		22	hooks directory and the submodule repository contains an executable
		23	"post-checkout" hook. Once the submodule repository checkout completes,
		24	the "post-checkout" hook immediately executes.
		25
		26	To prevent mismatched config state due to misinterpreting a trailing CR,
		27	wrap config values containing CR in double quotes when writing the
		28	entry. This ensures a trailing CR is always separated for an LF and thus
		29	prevented from getting stripped.
		30
		31	Note that this problem cannot be addressed by just quoting each CR with
		32	"\r". The reading side of the config interprets only a few backslash
		33	escapes, and "\r" is not among them. This fix is sufficient though
		34	because it only affects the CR at the end of a line and any literal CR
		35	in the interior is already preserved.
		36
		37	Co-authored-by: David Leadbeater <dgl@dgl.cx>
		38	Signed-off-by: Justin Tobler <jltobler@gmail.com>
		39	Signed-off-by: Taylor Blau <me@ttaylorr.com>
		40
		41	CVE: CVE-2025-48384
		42
		43	Upstream-Status: Backport [https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89]
		44
		45	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		46	---
		47	config.c \| 2 +-
		48	t/t1300-config.sh \| 10 ++++++++++
		49	2 files changed, 11 insertions(+), 1 deletion(-)
		50
		51	diff --git a/config.c b/config.c
		52	index 6a01938..4fbff51 100644
		53	--- a/config.c
		54	+++ b/config.c
		55	@@ -2756,7 +2756,7 @@ static ssize_t write_pair(int fd, const char key, const char value,
		56	if (value[0] == ' ')
		57	quote = "\"";
		58	for (i = 0; value[i]; i++)
		59	- if (value[i] == ';' \|\| value[i] == '#')
		60	+ if (value[i] == ';' \|\| value[i] == '#' \|\| value[i] == '\r')
		61	quote = "\"";
		62	if (i && value[i - 1] == ' ')
		63	quote = "\"";
		64	diff --git a/t/t1300-config.sh b/t/t1300-config.sh
		65	index b07feb1..49f4971 100755
		66	--- a/t/t1300-config.sh
		67	+++ b/t/t1300-config.sh
		68	@@ -2417,5 +2417,15 @@ test_expect_success '--get and --get-all with --fixed-value' '
		69	git config --file=config --get-regexp --fixed-value fixed+ "$META" &&
		70	test_must_fail git config --file=config --get-regexp --fixed-value fixed+ non-existent
		71	'
		72	+test_expect_success 'writing value with trailing CR not stripped on read' '
		73	+ test_when_finished "rm -rf cr-test" &&
		74	+
		75	+ printf "bar\r\n" >expect &&
		76	+ git init cr-test &&
		77	+ git -C cr-test config set core.foo $(printf "bar\r") &&
		78	+ git -C cr-test config get core.foo >actual &&
		79	+
		80	+ test_cmp expect actual
		81	+'
		82
		83	test_done
		84	--
		85	2.40.0


diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb index 3520b4db90..2079c3ddc8 100644 --- a/meta/recipes-devtools/git/git_2.35.7.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -27,6 +27,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
27	file://CVE-2024-50349-0002.patch \	27	file://CVE-2024-50349-0002.patch \
28	file://CVE-2024-52006.patch \	28	file://CVE-2024-52006.patch \
29	file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \	29	file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
		30	file://CVE-2025-48384.patch \
30	"	31	"
31		32
32	S = "${WORKDIR}/git-${PV}"	33	S = "${WORKDIR}/git-${PV}"