Hi! I don't think I view this as a vulnerability, but I think the topic is rather interesting and it seems like the audience here might be interested in it and/or take another view on whether it is a problem.
Michael Stapelberg posted on Mastodon [0] the following: > PSA: Did you know that it’s **unsafe** to put code diffs into your commit > messages? > > Like https://github.com/i3/i3/pull/6564 for example > > Such diffs will be applied by patch(1) (also git-am(1)) as part of the code > change! > > This is how a sleep(1) made it into i3 4.25-2 in Debian unstable. I see Florian has sent a patch to patch(1) for this, to implement --no-dedent [1]. But git-am(1) does the same: there's also a discussion ongoing over at the git mailing list [2]. I think at the very least, this is rather surprising. I've run into it a handful of times when applying a patch to gentoo.git where the commit message includes some diff that someone used for debugging, but in those cases, the diff was always to file(s) not in the repository (but a patch to be applied to the *package*'s source code), hence it was just an annoyance and resulted in the patch just not applying. (Similarly, it does remind me a little of how patch fuzz can lead to genuine problems and is often dismissed as noise, but e.g. you could easily get a double free from it. A patch applying is not always a good thing.) [0] https://mas.to/@zekjur/116022397626943871 [1] https://lists.gnu.org/archive/html/bug-patch/2026-02/msg00000.html [2] https://lore.kernel.org/git/bcqvh7ahjjgzpgxwnr4kh3hfkksfruf54refyry3ha7qk7dldf@fij5calmscvm/ anyway, I hope this is of some value to readers, sam
signature.asc
Description: PGP signature
