diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2022-03-17 10:57:37 +0100 |
---|---|---|
committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2022-03-24 00:31:28 +0100 |
commit | 201b0c7af6cad52cf6f0cfc46bd48201a23f6224 (patch) | |
tree | 547fbd4dbd137b196be7ae2a1be1352ea6c1ed6d /Documentation | |
parent | Git 2.32 (diff) | |
parent | Git 2.31.2 (diff) | |
download | tgif-201b0c7af6cad52cf6f0cfc46bd48201a23f6224.tar.xz |
Sync with 2.31.2
* maint-2.31:
Git 2.31.2
Git 2.30.3
setup_git_directory(): add an owner check for the top-level directory
Add a function to determine whether a path is owned by the current user
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/RelNotes/2.30.3.txt | 24 | ||||
-rw-r--r-- | Documentation/RelNotes/2.31.2.txt | 6 | ||||
-rw-r--r-- | Documentation/config.txt | 2 | ||||
-rw-r--r-- | Documentation/config/safe.txt | 21 |
4 files changed, 53 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.30.3.txt b/Documentation/RelNotes/2.30.3.txt new file mode 100644 index 0000000000..31b2a4daa6 --- /dev/null +++ b/Documentation/RelNotes/2.30.3.txt @@ -0,0 +1,24 @@ +Git v2.30.2 Release Notes +========================= + +This release addresses the security issue CVE-2022-24765. + +Fixes since v2.30.2 +------------------- + + * Build fix on Windows. + + * Fix `GIT_CEILING_DIRECTORIES` with Windows-style root directories. + + * CVE-2022-24765: + On multi-user machines, Git users might find themselves + unexpectedly in a Git worktree, e.g. when another user created a + repository in `C:\.git`, in a mounted network drive or in a + scratch space. Merely having a Git-aware prompt that runs `git + status` (or `git diff`) and navigating to a directory which is + supposedly not a Git worktree, or opening such a directory in an + editor or IDE such as VS Code or Atom, will potentially run + commands defined by that other user. + +Credit for finding this vulnerability goes to 俞晨东; The fix was +authored by Johannes Schindelin. diff --git a/Documentation/RelNotes/2.31.2.txt b/Documentation/RelNotes/2.31.2.txt new file mode 100644 index 0000000000..aa13a5b022 --- /dev/null +++ b/Documentation/RelNotes/2.31.2.txt @@ -0,0 +1,6 @@ +Git v2.31.2 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.3 to address +the security issue CVE-2022-24765; see the release notes for that +version for details. diff --git a/Documentation/config.txt b/Documentation/config.txt index bf82766a6a..a1efd744cd 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -440,6 +440,8 @@ include::config/rerere.txt[] include::config/reset.txt[] +include::config/safe.txt[] + include::config/sendemail.txt[] include::config/sequencer.txt[] diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt new file mode 100644 index 0000000000..63597b2df8 --- /dev/null +++ b/Documentation/config/safe.txt @@ -0,0 +1,21 @@ +safe.directory:: + These config entries specify Git-tracked directories that are + considered safe even if they are owned by someone other than the + current user. By default, Git will refuse to even parse a Git + config of a repository owned by someone else, let alone run its + hooks, and this config setting allows users to specify exceptions, + e.g. for intentionally shared repositories (see the `--shared` + option in linkgit:git-init[1]). ++ +This is a multi-valued setting, i.e. you can add more than one directory +via `git config --add`. To reset the list of safe directories (e.g. to +override any such directories specified in the system config), add a +`safe.directory` entry with an empty value. ++ +This config setting is only respected when specified in a system or global +config, not when it is specified in a repository config or via the command +line option `-c safe.directory=<path>`. ++ +The value of this setting is interpolated, i.e. `~/<path>` expands to a +path relative to the home directory and `%(prefix)/<path>` expands to a +path relative to Git's (runtime) prefix. |