Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN426
_____________________________________________________________________

DATE                : 09/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Git versions prior to 2.50.1.

=====================================================================
https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/
_____________________________________________________________________

Git security vulnerabilities announced

Today, the Git project released new versions to address seven
security vulnerabilities that affect all prior versions of Git.
Taylor Blau·@ttaylorr	
July 8, 2025
|

Today, the Git project released new versions to address seven security
vulnerabilities that affect all prior versions of Git.


Vulnerabilities in Git

CVE-2025-48384

When reading a configuration value, Git will strip any trailing
carriage return (CR) and line feed (LF) characters. When writing
a configuration value, however, Git does not quote trailing CR
characters, causing them to be lost when they are read later on.
When initializing a submodule whose path contains a trailing CR
character, the stripped path is used, causing the submodule to be
checked out in the wrong place.

If a symlink already exists between the stripped path and the
submodule’s hooks directory, an attacker can execute arbitrary
code through the submodule’s post-checkout hook.


[source]
CVE-2025-48385

When cloning a repository, Git can optionally fetch a bundle,
allowing the server to offload a portion of the clone to a CDN.
The Git client does not properly validate the advertised bundle(s),
allowing the remote side to perform protocol injection. When a
specially crafted bundle is advertised, the remote end can cause
the client to write the bundle to an arbitrary location, which
may lead to code execution similar to the previous CVE.


[source]
CVE-2025-48386 (Windows only)

When cloning from an authenticated remote, Git uses a credential
helper in order to authenticate the request. Git includes a handful
of credential helpers, including Wincred, which uses the Windows
Credential Manager to store its credentials.

Wincred uses the contents of a static buffer as a unique key to
store and retrieve credentials. However, it does not properly bounds
check the remaining space in the buffer, leading to potential
buffer overflows.


[source]
Vulnerabilities in Git GUI and Gitk

This release resolves four new CVEs related to Gitk and Git GUI. Both
tools are Tcl/Tk-based graphical interfaces used to interact with
Git repositories. Gitk is focused on showing a repository’s history,
whereas Git GUI focuses on making changes to existing repositories.


CVE-2025-27613 (Gitk)

When running Gitk in a specially crafted repository without additional
command-line arguments, Gitk can write and truncate arbitrary
writable files. The “Support per-file encoding” option must be enabled;
however, the operation of “Show origin of this line” is affected regardless.


[source]
CVE-2025-27614 (Gitk)

If a user is tricked into running gitk filename (where filename has a
particular structure), they may run arbitrary scripts supplied by the
attacker, leading to arbitrary code execution.


[source]
CVE-2025-46334 (Git GUI, Windows only)

If a malicious repository includes an executable sh.exe, or common
textconv programs (for e.g.,  astextplain, exif, or ps2ascii), path
lookup on Windows may locate these executables in the working tree.
If a user running Git GUI in such a repository selects either the
“Git Bash” or “Browse Files” from the menu, these programs may be
invoked, leading to arbitrary code execution.


[source]
CVE-2025-46335 (Git GUI)

When a user is tricked into editing a file in a specially named
directory in an untrusted repository, Git GUI can create and
overwrite arbitrary writable files, similar to CVE-2025-27613.


[source]

Upgrade to the latest Git version

The most effective way to protect against these vulnerabilities
is to upgrade to Git 2.50.1, the newest release containing fixes
for the aforementioned vulnerabilities. If you can’t upgrade
immediately, you can reduce your risk by doing the following:


    Avoid running git clone with --recurse-submodules against
untrusted repositories.
    Disable auto-fetching bundle URIs by setting the transfer.bundleURI
configuration value to “false.”
    Avoid using the wincred credential helper on Windows.
    Avoid running Gitk and Git GUI in untrusted repositories.


In order to protect users against attacks related to these
vulnerabilities, GitHub has taken proactive steps. Specifically,
we have scheduled releases of GitHub Desktop. GitHub Codespaces
and GitHub Actions will update their versions of Git shortly
 GitHub itself, including Enterprise Server, is unaffected by
these vulnerabilities.

CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 were
discovered by David Leadbeater. Justin Tobler and Patrick
Steinhardt provided fixes for CVEs 2025-48384 and 2025-48385
respectively. The fix for CVE-2025-48386 is joint work
between Taylor Blau and Jeff King

CVE-2025-46835 was found and fixed by Johannes Sixt. Mark
Levedahl discovered and fixed CVE-2025-46334. Avi Halachmi
discovered both CVE-2025-27613 and CVE-2025-27614, and fixed
the latter. CVE-2025-27613 was fixed by Johannes Sixt.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================