Source: git-lfs Version: 3.6.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for git-lfs. CVE-2025-26625[0]: | Git LFS is a Git extension for versioning large files. In Git LFS | versions 0.5.2 through 3.7.0, when populating a Git repository's | working tree with the contents of Git LFS objects, certain Git LFS | commands may write to files visible outside the current Git working | tree if symbolic or hard links exist which collide with the paths of | files tracked by Git LFS. The git lfs checkout and git lfs pull | commands do not check for symbolic links before writing to files in | the working tree, allowing an attacker to craft a repository | containing symbolic or hard links that cause Git LFS to write to | arbitrary file system locations accessible to the user running these | commands. As well, when the git lfs checkout and git lfs pull | commands are run in a bare repository, they could write to files | visible outside the repository. The vulnerability is fixed in | version 3.7.1. As a workaround, support for symlinks in Git may be | disabled by setting the core.symlinks configuration option to false, | after which further clones and fetches will not create symbolic | links. However, any symbolic or hard links in existing repositories | will still provide the opportunity for Git LFS to write to their | targets. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-26625 https://www.cve.org/CVERecord?id=CVE-2025-26625 [1] https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
