Package "git"

  git (1:2.48.1-0ubuntu1.1) plucky-security; urgency=medium

  * SECURITY UPDATE: Code execution and file manipulation when cloning
    malicious repositories.
    - debian/patches/CVE-2025-27613.patch: Add argument sanitizing and replace
      command instances with safe versions in gitk-git/gitk.
    - debian/patches/CVE-2025-27614.patch: Remove escape_filter_paths and wrap
      concat instances with list in gitk-git/gitk.
    - CVE-2025-27613
    - CVE-2025-27614
  * SECURITY UPDATE: File overwrite when editing a file in a malicious
    directory in an untrusted repository.
    - debian/patches/CVE-2025-46835-pre1.patch: Remove windows specific code
      in git-gui/git-gui.sh.
    - debian/patches/CVE-2025-46835.patch: Add argument sanitizing, replace
      command instances with safe versions, and wrap instances with list in
      git-gui/git-gui.sh and other files in git-gui directory.
    - CVE-2025-46835
  * SECURITY UPDATE: Unintentional script execution due to improperly stripped
    carriage return.
    - debian/patches/CVE-2025-48384.patch: Add carriage return checks in
      config.c.
    - CVE-2025-48384
  * SECURITY UPDATE: Protocol injection potentially leading to arbitrary code
    execution.
    - debian/patches/CVE-2025-48385.patch: Add URI and filename checks in
      bundle-uri.c.
    - CVE-2025-48385
  * SECURITY UPDATE: Buffer overflow.
    - debian/patches/CVE-2025-48386.patch: Add target_append function and
      change wcsncat calls to target_append in
      contrib/credential/wincred/git-credential-wincred.c.
    - CVE-2025-48386

 -- Hlib Korzhynskyy <email address hidden> Wed, 02 Jul 2025 16:12:01 -0230