Apply patch to fix CVE-2024-54132 (Closes: #1089120) (!2) · Merge requests · Debian Go Packaging Team / packages / gh

Loren M. Lang requested to merge penguin359/gh:debian/sid into debian/sid Jan 02, 2025

I am marking this as a draft for the moment as I haven't had a chance to do manual testing yet, but it does pass all automated tests. I am also working on the final CVE, but that one will take more time.

This validated the asset name being downloaded to be a valid filename. This is from the following upstream commits:

cdfc12caf52754ea4026d5338a56ad4e6f822105
e7c5706336d851b39930c7315132f89b25e77d4d
83cf41155646380d3df4037d3f2ac683147f194a
8da27d2c8ac8b781cf34a5e04ed57cfe4b68fa55

Apply patch to fix CVE-2024-54132 (Closes: #1089120)

Merge request reports