Control: tags -1 pending
As previously stated on #debian-security, there are actually four
security issues here, fixed by consecutive upstream commits:
- This issue: generate_archive() allows file access via symlinks
CVE-2024-47515
- Similar issues in _update_file_in_git() (with symlinks)
https://bugzilla.redhat.com/show_bug.cgi?id=2280723
- ...and view_issue_raw_file() (with .. paths)
https://bugzilla.redhat.com/show_bug.cgi?id=2280726
- log() / view_history_file() interpreting filenames starting with - as
git options:
https://bugzilla.redhat.com/show_bug.cgi?id=2315805
(Those links refer to the other 3 as CVE-2024-47516, CVE-2024-4981,
CVE-2024-4982, but those aren't actually public CVEs.)
All 4 are fixed in salsa.debian.org/rnpalmer-guest/pagure fix1091383
branch, but this package is as yet untested.
