Overview

File _patchinfo of Package patchinfo.40377

<patchinfo incident="40377">
  <issue tracker="bnc" id="1245938">VUL-0: CVE-2025-27613: git: arbitrary writable file creation and truncation in Gitk</issue>
  <issue tracker="bnc" id="1245939">VUL-0: CVE-2025-27614: git: arbitrary script execution via repo clonation in gitk</issue>
  <issue tracker="bnc" id="1245942">VUL-0: CVE-2025-46835: git: untrusted repository cloning can lead to arbitrary writable file creation in Git GUI</issue>
  <issue tracker="bnc" id="1245943">VUL-0: CVE-2025-48384: git: script may be unintentionally executed after checkout due to CRLF transforming</issue>
  <issue tracker="bnc" id="1245946">VUL-0: CVE-2025-48385: git: arbitrary code execution due to protocol injection via fetching advertised bundle</issue>
  <issue tracker="cve" id="2025-27613"/>
  <issue tracker="cve" id="2025-27614"/>
  <issue tracker="cve" id="2025-46835"/>
  <issue tracker="cve" id="2025-48384"/>
  <issue tracker="cve" id="2025-48385"/>
  <issue tracker="jsc" id="PED-13447"/>
  <packager>ateixeira</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for git</summary>
  <description>This update for git fixes the following issues:

Updated to 2.43.7 (jsc#PED-13447):

- CVE-2025-27613: Fixed arbitrary writable file creation and truncation in Gitk (bsc#1245938)
- CVE-2025-27614: Fixed arbitrary script execution via repo clonation in Gitk (bsc#1245939)
- CVE-2025-46835: Fixed arbitrary writable file creation via untrusted repository clonation in Git GUI (bsc#1245942)
- CVE-2025-48384: Fixed arbitrary writable file creation when cloning untrusted repositories with submodules
  using the --recursive flag (bsc#1245943)
- CVE-2025-48385: Fixed arbitrary code execution due to protocol injection via fetching advertised bundle (bsc#1245946)

Other fixes:

- Drop git-credential-gnome-keyring package as it was dropped upstream,
  use git-credential-libsecret instead
- git-add--interactive was removed upstream in favor of built in implementation,
  which was already the default in SLE.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places