Skip to content

MinGit for Windows 2.47.3

Pre-release
Pre-release
Compare
Choose a tag to compare
@gitforwindowshelper gitforwindowshelper released this 08 Jul 17:50
v2.47.3.windows.1
This tag was signed with the committer’s verified signature.
dscho Johannes Schindelin
GPG key ID: EDD44359093056EE
Verified
Learn about vigilant mode.
9022eb3

Changes since Git for Windows v2.47.1(2) (January 14th 2025)

This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

New Features

Bug Fixes

  • CVE-2025-27613, Gitk:
    When a user clones an untrusted repository and runs Gitk without
    additional command arguments, any writable file can be created and
    truncated. The option "Support per-file encoding" must have been
    enabled. The operation "Show origin of this line" is affected as
    well, regardless of the option being enabled or not.
  • CVE-2025-27614, Gitk:
    A Git repository can be crafted in such a way that a user who has
    cloned the repository can be tricked into running any script
    supplied by the attacker by invoking gitk filename, where
    filename has a particular structure.
  • CVE-2025-46334, Git GUI (Windows only):
    A malicious repository can ship versions of sh.exe or typical
    textconv filter programs such as astextplain. On Windows, path
    lookup can find such executables in the worktree. These programs
    are invoked when the user selects "Git Bash" or "Browse Files" from
    the menu.
  • CVE-2025-46835, Git GUI:
    When a user clones an untrusted repository and is tricked into
    editing a file located in a maliciously named directory in the
    repository, then Git GUI can create and overwrite any writable
    file.
  • CVE-2025-48384, Git:
    When reading a config value, Git strips any trailing carriage
    return and line feed (CRLF). When writing a config entry, values
    with a trailing CR are not quoted, causing the CR to be lost when
    the config is later read. When initializing a submodule, if the
    submodule path contains a trailing CR, the altered path is read
    resulting in the submodule being checked out to an incorrect
    location. If a symlink exists that points the altered path to the
    submodule hooks directory, and the submodule contains an executable
    post-checkout hook, the script may be unintentionally executed
    after checkout.
  • CVE-2025-48385, Git:
    When cloning a repository Git knows to optionally fetch a bundle
    advertised by the remote server, which allows the server-side to
    offload parts of the clone to a CDN. The Git client does not
    perform sufficient validation of the advertised bundles, which
    allows the remote side to perform protocol injection.
    This protocol injection can cause the client to write the fetched
    bundle to a location controlled by the adversary. The fetched
    content is fully controlled by the server, which can in the worst
    case lead to arbitrary code execution.
  • CVE-2025-48386, Git:
    The wincred credential helper uses a static buffer (target) as a
    unique key for storing and comparing against internal storage. This
    credential helper does not properly bounds check the available
    space remaining in the buffer before appending to it with
    wcsncat(), leading to potential buffer overflows.
Filename SHA-256
MinGit-2.47.3-64-bit.zip 033b94947b64c53442feefc4fdb0e66dc0ee619904a559627a952336e7a62e31
MinGit-2.47.3-arm64.zip 4aae1a69de2f029a10438ccd9fa4bf9572b0bcf6f6c6be884f4d2e0acbbaa3aa
MinGit-2.47.3-32-bit.zip 969c2fd5727cd347775b4956e8c344b5decdf23651f4aa558bd0a91aa9562964
MinGit-2.47.3-busybox-64-bit.zip 1c7f90eae02c8d1936fb88d84149430a41d81569f9751eb8faa11b0a972cc202
MinGit-2.47.3-busybox-32-bit.zip 407a57301e5c5f8d9d8c139c6b6cf9458ee5e88bc3b7233fccfe5ec86356cdfd
Assets 40
Loading