Skip to content

Bump dulwich from 1.2.4 to 1.2.5#166

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/dulwich-1.2.5
Open

Bump dulwich from 1.2.4 to 1.2.5#166
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/dulwich-1.2.5

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 28, 2026

Bumps dulwich from 1.2.4 to 1.2.5.

Release notes

Sourced from dulwich's releases.

dulwich 1.2.5

This is a security release. All users are encouraged to upgrade.

Security fixes

  • GHSA-gfhv-vqv2-4544 -- Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact. The dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Reported by tonghuaroot)

  • CVE-2026-42305 -- Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. validate_path_element_ntfs now also rejects Windows path separators, the alternate data stream marker :, NTFS 8.3 short-name aliases of .git, and reserved Windows device names. core.protectNTFS now defaults to true on every platform, and both core.protectNTFS and core.protectHFS are now read under their correct option names. (Reported by Christopher Toth)

  • CVE-2026-42563 -- Shell-quote values substituted into ProcessMergeDriver commands. A malicious branch could inject shell commands when a merge driver referencing %P was configured. (Reported by Ravishanker Kusuma (hayageek))

  • CVE-2026-47712 -- Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. (Reported by Christopher Toth)

  • receive.maxInputSize -- Honour receive.maxInputSize in ReceivePackHandler. Previously a remote unauthenticated client could send a tiny crafted pack that declared a huge dest_size and trigger hundreds of MB of allocation over git-receive-pack. (Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney)

Changelog

Sourced from dulwich's changelog.

1.2.5 2026-05-28

  • SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact -- dropping a hook that later commands would run. Submodule paths are now rejected if they are absolute or carry a component that the configured path validator refuses, and the submodule's own tree is materialized with the same validator. This is the dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Jelmer Vernooij; reported by tonghuaroot)

  • SECURITY(CVE-2026-42305): Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. A crafted tree could previously carry such names through to the work tree. validate_path_element_ntfs now also rejects:

    • Windows path separators, so an entry named .git\hooks\pre-commit.exe can no longer materialize a file inside .git that Git for Windows would execute.
    • The alternate data stream marker : (e.g. .git::$INDEX_ALLOCATION, which writes into .git directly).
    • NTFS 8.3 short-name aliases of .git (git~<digits>); only git~1 was rejected before.
    • Reserved Windows device names (CON, PRN, AUX, NUL, COM1-COM9, LPT1-LPT9), including with an extension or trailing dots/spaces such as NUL.txt or COM1 .bar.

    In addition, core.protectNTFS now defaults to true on every platform (matching git after CVE-2019-1353), so a POSIX clone no longer accepts paths that would be unsafe on a later Windows clone, and both core.protectNTFS and core.protectHFS are now read under their correct option names, having previously been silently ignored. POSIX users who need literal NTFS-unsafe filenames can opt out with core.protectNTFS=false. (Jelmer Vernooij; reported by Christopher Toth)

  • SECURITY (CVE-2026-42563): Shell-quote values substituted into ProcessMergeDriver commands. %P is a path from the git tree, so a malicious branch could inject shell commands when the user had a merge driver configured that referenced %P. (Jelmer Vernooij; reported by Ravishanker Kusuma (hayageek))

  • SECURITY(CVE-2026-47712): Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. get_summary now matches git's format_sanitized_subject.

... (truncated)

Commits
  • 073f4df Release 1.2.5
  • 5f85d3e tests: fix Windows-only failures in NTFS and merge-driver tests
  • 25313ad Merge branch 'advisory-5'
  • 1ca1814 submodule: Reject unsafe submodule paths in submodule_update
  • 3559ef1 Merge branch 'advisory-4'
  • f860ca4 server: Honour receive.maxInputSize to bound received packs
  • 0fd6e6b Merge branch 'advisory-3'
  • 0110b88 Merge branch 'advisory-2'
  • 49eb56e Add NEWS entry for CVE-2026-42305
  • 57efc4a Merge branch 'advisory-1'
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump dulwich from 1.2.4 to 1.2.5
a2c6aa0 
Bumps [dulwich](https://github.com/dulwich/dulwich) from 1.2.4 to 1.2.5.
- [Release notes](https://github.com/dulwich/dulwich/releases)
- [Changelog](https://github.com/jelmer/dulwich/blob/main/NEWS)
- [Commits](jelmer/dulwich@dulwich-1.2.4...dulwich-1.2.5)

---
updated-dependencies:
- dependency-name: dulwich
  dependency-version: 1.2.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants