public inbox for git@vger.kernel.org 
 help / color / mirror / Atom feed
From: Jinfeng Wang <jinfeng.wang.cn@windriver•com>
To: git@vger•kernel.org
Subject: question about affected version of CVE-2025-48385
Date: Wed, 7 Jan 2026 13:36:20 +0800	[thread overview]
Message-ID: <44c4e575-bf5c-45a4-8035-ad4007e95fe3@windriver.com> (raw)

Hi all,

For this CVE https://nvd.nist.gov/vuln/detail/CVE-2025-48385,

Affected vesion listed in 
https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655:
Affected versions
v2.50.0, v2.49.0, v2.48.0-v2.48.1, v2.47.0–v2.47.2, v2.46.0–v2.46.3, 
v2.45.0-v2.45.3, v2.44.0–v2.44.3, v2.43.6 and prior

But I see the fix is for bundle-uri:

git log --grep="CVE-2025-48385"
commit d2bc61fcabd6cfa582d286bed1ce20d5d7c58d52
Merge: d61cfed2c2 35cb1bb0b9
Author: Taylor Blau <me@ttaylorr•com>
Date:   Wed May 28 12:53:52 2025 -0400

     Merge branch 'ps/bundle-uri-arbitrary-writes' into maint-2.43

     This merges in the fix for CVE-2025-48385.

     * ps/bundle-uri-arbitrary-writes:
       bundle-uri: fix arbitrary file writes via parameter injection

But bundle-uri is added in v2.38.0, so the version before v2.38.0 is not 
affected. Is that right?


Regards,

Jinfeng


                 reply	other threads:[~2026-01-07  5:36 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44c4e575-bf5c-45a4-8035-ad4007e95fe3@windriver.com \
    --to=jinfeng.wang.cn@windriver$(echo .)com \
    --cc=git@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox