FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-07-24 16:49:09 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
3445e4b6-d2b8-11ef-9ff3-43c2b5d6c4c8	git -- multiple vulnerabilities Git development team reports: CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead. CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that. Discovery 2024-10-29 Entry 2025-01-14 git git-cvs git-gui git-p4 git-svn < 2.48.1 CVE-2024-50349 https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr CVE-2024-52006 https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp
2a4472ed-5c0d-11f0-b991-291fce777db8	git -- multiple vulnerabilities Git development team reports: CVE-2025-27613: Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not. CVE-2025-27614: Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure. CVE-2025-46835: Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file. CVE-2025-48384: Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. CVE-2025-48385: Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. CVE-2025-48386: Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows. Discovery 2025-04-11 Entry 2025-07-08 git git-cvs git-gui git-p4 git-svn < 2.50.1 CVE-2025-27613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27613 CVE-2025-27614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27614 CVE-2025-46835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46835 CVE-2025-48384 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384 CVE-2025-48385 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48385 CVE-2025-48386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48386

VuXML ID

Description

3445e4b6-d2b8-11ef-9ff3-43c2b5d6c4c8

git -- multiple vulnerabilities

Git development team reports:

CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.

CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.

Discovery 2024-10-29
Entry 2025-01-14
git
git-cvs
git-gui
git-p4
git-svn

< 2.48.1

CVE-2024-50349
https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr
CVE-2024-52006
https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp

2a4472ed-5c0d-11f0-b991-291fce777db8

git -- multiple vulnerabilities

Git development team reports:

CVE-2025-27613: Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.

CVE-2025-27614: Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure.

CVE-2025-46835: Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.

CVE-2025-48384: Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.

CVE-2025-48385: Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.

CVE-2025-48386: Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows.

Discovery 2025-04-11
Entry 2025-07-08
git
git-cvs
git-gui
git-p4
git-svn

< 2.50.1

CVE-2025-27613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27613
CVE-2025-27614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27614
CVE-2025-46835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46835
CVE-2025-48384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384
CVE-2025-48385
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48385
CVE-2025-48386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48386