| Package | git |
|---|---|
| Version | 1:2.11.0-3+deb9u13 (stretch), 1:2.20.1-2+deb10u11 (buster) |
| Related CVEs | CVE-2025-27613 CVE-2025-46835 CVE-2025-48384 |
Multiple vulnerabilities have been discovered in git, the distributed revision control system.
CVE-2025-27613
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when
a user clones an untrusted repository and runs gitk without additional
command arguments, files for which the user has write permission can be
created and truncated.
CVE-2025-46835
Git GUI allows you to use the Git source control management tools via a GUI.
When a user clones an untrusted repository and is tricked into editing a
file located in a maliciously named directory in the repository, then Git
GUI can create and overwrite files for which the user has write permission.
CVE-2025-48384
When reading a config value, Git strips any trailing carriage return and line
feed (CRLF). When writing a config entry, values with a trailing CR are not
quoted, causing the CR to be lost when the config is later read. When
initializing a submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed after checkout.
For Debian 10 buster, these problems have been fixed in version 1:2.20.1-2+deb10u11.
For Debian 9 stretch, these problems have been fixed in version 1:2.11.0-3+deb9u13.
We recommend that you upgrade your git packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.