update to 2.52.0

Resolves: RHEL-118147
2026-01-09 14:23:46 +01:00 · 2026-01-09 14:23:46 +01:00 · 2733c9e03e
commit 2733c9e03e
parent 5bc78c2ec0
6 changed files with 399 additions and 365 deletions
--- a/git-2.43.0-core-crypto-hmac.patch
+++ b/git-2.43.0-core-crypto-hmac.patch
@ -1,70 +0,0 @@
-diff -ur b/builtin/receive-pack.c a/builtin/receive-pack.c
--- b/builtin/receive-pack.c	2023-11-20 03:07:41.000000000 +0100
-+++ a/builtin/receive-pack.c	2023-12-06 15:34:28.294170714 +0100
-@@ -40,6 +40,8 @@
- #include "worktree.h"
- #include "shallow.h"
- #include "parse-options.h"
-+#include <openssl/hmac.h>	
-+#include <openssl/evp.h>
- 
- static const char * const receive_pack_usage[] = {
- 	N_("git receive-pack <git-dir>"),
-@@ -538,43 +540,11 @@
- 	return 0;
- }
- 
-static void hmac_hash(unsigned char *out,
-+static inline void hmac_hash(unsigned char *out,
- 		      const char *key_in, size_t key_len,
- 		      const char *text, size_t text_len)
- {
-	unsigned char key[GIT_MAX_BLKSZ];
-	unsigned char k_ipad[GIT_MAX_BLKSZ];
-	unsigned char k_opad[GIT_MAX_BLKSZ];
-	int i;
-	git_hash_ctx ctx;
-
-	/* RFC 2104 2. (1) */
-	memset(key, '\0', GIT_MAX_BLKSZ);
-	if (the_hash_algo->blksz < key_len) {
-		the_hash_algo->init_fn(&ctx);
-		the_hash_algo->update_fn(&ctx, key_in, key_len);
-		the_hash_algo->final_fn(key, &ctx);
-	} else {
-		memcpy(key, key_in, key_len);
-	}
-
-	/* RFC 2104 2. (2) & (5) */
-	for (i = 0; i < sizeof(key); i++) {
-		k_ipad[i] = key[i] ^ 0x36;
-		k_opad[i] = key[i] ^ 0x5c;
-	}
-
-	/* RFC 2104 2. (3) & (4) */
-	the_hash_algo->init_fn(&ctx);
-	the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
-	the_hash_algo->update_fn(&ctx, text, text_len);
-	the_hash_algo->final_fn(out, &ctx);
-
-	/* RFC 2104 2. (6) & (7) */
-	the_hash_algo->init_fn(&ctx);
-	the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
-	the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
-	the_hash_algo->final_fn(out, &ctx);
-+	HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL);
- }
- 
- static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
-diff -ur b/Makefile a/Makefile
--- b/Makefile	2023-11-20 03:07:41.000000000 +0100
-+++ a/Makefile	2023-12-06 15:35:08.506316431 +0100
-@@ -2123,6 +2123,8 @@
- 	EXTLIBS += -lcrypto -lssl
- endif
- 
-+EXTLIBS += -lcrypto
-+
- ifneq ($(PROCFS_EXECUTABLE_PATH),)
- 	procfs_executable_path_SQ = $(subst ','\'',$(PROCFS_EXECUTABLE_PATH))
- 	BASIC_CFLAGS += '-DPROCFS_EXECUTABLE_PATH="$(procfs_executable_path_SQ)"'
--- a/git-2.47-sanitize-sideband-channel-messages.patch
+++ b/git-2.47-sanitize-sideband-channel-messages.patch
@ -1,219 +0,0 @@
-From 833c73801527b37d9bc725c81c6042ae350aaae3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
-Date: Fri, 28 Mar 2025 13:26:29 +0100
-Subject: [PATCH] Adds the option to sanitize sideband channel messages
-
-CVE-2024-52005 wasn't fixed by upstream. This patch adds the option
-to harden Git against it.
-The default behaviour of Git remains unchanged.
-
-Changes are taken from Git for Windows. The only differences are that
-by default we are allowing all control characters, the documentation
-reflects it and one of the tests has to be invoked with a config
-change: `sideband.allowControlCharacters=color`
-
-These commits can also be seen in this upstream PR:
-https://github.com/gitgitgadget/git/pull/1853
---
- Documentation/config.txt            |  2 +
- Documentation/config/sideband.txt   | 16 ++++++
- sideband.c                          | 78 ++++++++++++++++++++++++++++-
- t/t5409-colorize-remote-messages.sh | 30 +++++++++++
- 4 files changed, 124 insertions(+), 2 deletions(-)
- create mode 100644 Documentation/config/sideband.txt
-
-diff --git a/Documentation/config.txt b/Documentation/config.txt
-index 8c0b3ed807..48870bb588 100644
--- a/Documentation/config.txt
-+++ b/Documentation/config.txt
-@@ -522,6 +522,8 @@ include::config/sequencer.txt[]
- 
- include::config/showbranch.txt[]
- 
-+include::config/sideband.txt[]
-+
- include::config/sparse.txt[]
- 
- include::config/splitindex.txt[]
-diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt
-new file mode 100644
-index 0000000000..1adc831667
--- /dev/null
-+++ b/Documentation/config/sideband.txt
-@@ -0,0 +1,16 @@
-+sideband.allowControlCharacters::
-+	By default, control characters that are delivered via the sideband
-+	are NOT masked. Use this config setting to prevent potentially
-+	unwanted ANSI escape sequences from being sent to the terminal:
-++
-+--
-+	color::
-+		Allow ANSI color sequences, line feeds and horizontal tabs,
-+		but mask all other control characters.
-+	false::
-+		Mask all control characters other than line feeds and
-+		horizontal tabs.
-+	true::
-+		Allow all control characters to be sent to the terminal.
-+        This is the default.
-+--
-\ No newline at end of file
-diff --git a/sideband.c b/sideband.c
-index 02805573fa..7a0ca61948 100644
--- a/sideband.c
-+++ b/sideband.c
-@@ -25,6 +25,12 @@ static struct keyword_entry keywords[] = {
- 	{ "error",	GIT_COLOR_BOLD_RED },
- };
- 
-+static enum {
-+	ALLOW_NO_CONTROL_CHARACTERS = 0,
-+	ALLOW_ALL_CONTROL_CHARACTERS = 1,
-+	ALLOW_ANSI_COLOR_SEQUENCES = 2
-+} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
-+
- /* Returns a color setting (GIT_COLOR_NEVER, etc). */
- static int use_sideband_colors(void)
- {
-@@ -38,6 +44,25 @@ static int use_sideband_colors(void)
- 	if (use_sideband_colors_cached >= 0)
- 		return use_sideband_colors_cached;
- 
-+	switch (git_config_get_maybe_bool("sideband.allowcontrolcharacters", &i)) {
-+	case 0: /* Boolean value */
-+		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
-+			ALLOW_NO_CONTROL_CHARACTERS;
-+		break;
-+	case -1: /* non-Boolean value */
-+		if (git_config_get_string_tmp("sideband.allowcontrolcharacters",
-+							&value))
-+			; /* huh? `get_maybe_bool()` returned -1 */
-+		else if (!strcmp(value, "color"))
-+			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
-+		else
-+			warning(_("unrecognized value for `sideband."
-+					"allowControlCharacters`: '%s'"), value);
-+		break;
-+	default:
-+		break; /* not configured */
-+	}
-+
- 	if (!git_config_get_string_tmp(key, &value))
- 		use_sideband_colors_cached = git_config_colorbool(key, value);
- 	else if (!git_config_get_string_tmp("color.ui", &value))
-@@ -65,6 +90,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
- 		list_config_item(list, prefix, keywords[i].keyword);
- }
- 
-+static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
-+{
-+	int i;
-+
-+	/*
-+	 * Valid ANSI color sequences are of the form
-+	 *
-+	 * ESC [ [<n> [; <n>]*] m
-+	 */
-+
-+	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
-+	    n < 3 || src[0] != '\x1b' || src[1] != '[')
-+		return 0;
-+
-+	for (i = 2; i < n; i++) {
-+		if (src[i] == 'm') {
-+			strbuf_add(dest, src, i + 1);
-+			return i;
-+		}
-+		if (!isdigit(src[i]) && src[i] != ';')
-+			break;
-+	}
-+
-+	return 0;
-+}
-+
-+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
-+{
-+	int i;
-+
-+	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
-+			strbuf_add(dest, src, n);
-+			return;
-+		}
-+	
-+	strbuf_grow(dest, n);
-+	for (; n && *src; src++, n--) {
-+		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
-+			strbuf_addch(dest, *src);
-+		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
-+				src += i;
-+				n -= i;
-+		} else {
-+			strbuf_addch(dest, '^');
-+			strbuf_addch(dest, 0x40 + *src);
-+		}
-+	}
-+}
-+
- /*
-  * Optionally highlight one keyword in remote output if it appears at the start
-  * of the line. This should be called for a single line only, which is
-@@ -80,7 +154,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
- 	int i;
- 
- 	if (!want_color_stderr(use_sideband_colors())) {
-		strbuf_add(dest, src, n);
-+		strbuf_add_sanitized(dest, src, n);
- 		return;
- 	}
- 
-@@ -113,7 +187,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
- 		}
- 	}
- 
-	strbuf_add(dest, src, n);
-+	strbuf_add_sanitized(dest, src, n);
- }
- 
- 
-diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
-index 516b22fd96..48f8413eff 100755
--- a/t/t5409-colorize-remote-messages.sh
-+++ b/t/t5409-colorize-remote-messages.sh
-@@ -99,4 +99,34 @@ test_expect_success 'fallback to color.ui' '
- 	grep "<BOLD;RED>error<RESET>: error" decoded
- '
- 
-+test_expect_success 'disallow (color) control sequences in sideband' '
-+	write_script .git/color-me-surprised <<-\EOF &&
-+	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
-+	exec "$@"
-+	EOF
-+	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
-+	test_commit need-at-least-one-commit &&
-+	git -c sideband.allowControlCharacters=color \
-+		clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep RED decoded &&
-+	test_grep "\\^G" stderr &&
-+	tr -dc "\\007" <stderr >actual &&
-+	test_must_be_empty actual &&
-+
-+	rm -rf throw-away &&
-+	git -c sideband.allowControlCharacters=false \
-+		clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep ! RED decoded &&
-+	test_grep "\\^G" stderr &&
-+
-+	rm -rf throw-away &&
-+	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep RED decoded &&
-+	tr -dc "\\007" <stderr >actual &&
-+	test_file_not_empty actual
-+'
-+
- test_done
-- 
-2.49.0
-
--- a/git-2.52-core-crypto-hmac.patch
+++ b/git-2.52-core-crypto-hmac.patch
@ -0,0 +1,85 @@
+From 17acaf144b882d7312b147ac4a1d39158a82534d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
+Date: Fri, 9 Jan 2026 14:49:51 +0100
+Subject: [PATCH] git-2.52.0-core-crypto-hmac.patch
+
+---
+ Makefile               |  2 ++
+ builtin/receive-pack.c | 38 ++++----------------------------------
+ 2 files changed, 6 insertions(+), 34 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 7e0f77e298..a106eaa79d 100644
+--- a/Makefile
+++ b/Makefile
+@@ -2278,6 +2278,8 @@ ifneq ($(findstring openssl,$(CSPRNG_METHOD)),)
+ 	EXTLIBS += -lcrypto -lssl
+ endif
+ 
+EXTLIBS += -lcrypto
+
+ ifndef HAVE_PLATFORM_PROCINFO
+ 	COMPAT_OBJS += compat/stub/procinfo.o
+ endif
+diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
+index c9288a9c7e..48ad30fb0a 100644
+--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
+@@ -43,6 +43,8 @@
+ #include "worktree.h"
+ #include "shallow.h"
+ #include "parse-options.h"
+#include <openssl/hmac.h>	
+#include <openssl/evp.h>
+ 
+ static const char * const receive_pack_usage[] = {
+ 	N_("git receive-pack <git-dir>"),
+@@ -561,43 +563,11 @@ static int copy_to_sideband(int in, int out UNUSED, void *arg UNUSED)
+ 	return 0;
+ }
+ 
+-static void hmac_hash(unsigned char *out,
+static inline void hmac_hash(unsigned char *out,
+ 		      const char *key_in, size_t key_len,
+ 		      const char *text, size_t text_len)
+ {
+-	unsigned char key[GIT_MAX_BLKSZ];
+-	unsigned char k_ipad[GIT_MAX_BLKSZ];
+-	unsigned char k_opad[GIT_MAX_BLKSZ];
+-	int i;
+-	struct git_hash_ctx ctx;
+-
+-	/* RFC 2104 2. (1) */
+-	memset(key, '\0', GIT_MAX_BLKSZ);
+-	if (the_hash_algo->blksz < key_len) {
+-		the_hash_algo->init_fn(&ctx);
+-		git_hash_update(&ctx, key_in, key_len);
+-		git_hash_final(key, &ctx);
+-	} else {
+-		memcpy(key, key_in, key_len);
+-	}
+-
+-	/* RFC 2104 2. (2) & (5) */
+-	for (i = 0; i < sizeof(key); i++) {
+-		k_ipad[i] = key[i] ^ 0x36;
+-		k_opad[i] = key[i] ^ 0x5c;
+-	}
+-
+-	/* RFC 2104 2. (3) & (4) */
+-	the_hash_algo->init_fn(&ctx);
+-	git_hash_update(&ctx, k_ipad, sizeof(k_ipad));
+-	git_hash_update(&ctx, text, text_len);
+-	git_hash_final(out, &ctx);
+-
+-	/* RFC 2104 2. (6) & (7) */
+-	the_hash_algo->init_fn(&ctx);
+-	git_hash_update(&ctx, k_opad, sizeof(k_opad));
+-	git_hash_update(&ctx, out, the_hash_algo->rawsz);
+-	git_hash_final(out, &ctx);
+	HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL);
+ }
+ 
+ static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
+-- 
+2.52.0
+
--- a/git-2.52-sanitize-sideband-channel-messages.patch
+++ b/git-2.52-sanitize-sideband-channel-messages.patch
@ -0,0 +1,275 @@
+From 65e88e659008e2cbf79cf44975406ff0d569a3a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
+Date: Thu, 20 Nov 2025 12:24:59 +0100
+Subject: [PATCH] sideband: mask control characters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The output of `git clone` is a vital component for understanding what
+has happened when things go wrong. However, these logs are partially
+under the control of the remote server (via the "sideband", which
+typically contains what the remote `git pack-objects` process sends to
+`stderr`), and is currently not sanitized by Git.
+
+This makes Git susceptible to ANSI escape sequence injection (see
+CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
+attackers to corrupt terminal state, to hide information, and even to
+insert characters into the input buffer (i.e. as if the user had typed
+those characters).
+
+To plug this vulnerability, disallow any control character in the
+sideband, replacing them instead with the common `^<letter/symbol>`
+(e.g. `^[` for `\x1b`, `^A` for `\x01`).
+
+There is likely a need for more fine-grained controls instead of using a
+"heavy hammer" like this, which will be introduced subsequently.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+sideband: introduce an "escape hatch" to allow control characters
+
+The preceding commit fixed the vulnerability whereas sideband messages
+(that are under the control of the remote server) could contain ANSI
+escape sequences that would be sent to the terminal verbatim.
+
+However, this fix may not be desirable under all circumstances, e.g.
+when remote servers deliberately add coloring to their messages to
+increase their urgency.
+
+To help with those use cases, give users a way to opt-out of the
+protections: `sideband.allowControlCharacters`.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+sideband: do allow ANSI color sequences by default
+
+The preceding two commits introduced special handling of the sideband
+channel to neutralize ANSI escape sequences before sending the payload
+to the terminal, and `sideband.allowControlCharacters` to override that
+behavior.
+
+However, some `pre-receive` hooks that are actively used in practice
+want to color their messages and therefore rely on the fact that Git
+passes them through to the terminal.
+
+In contrast to other ANSI escape sequences, it is highly unlikely that
+coloring sequences can be essential tools in attack vectors that mislead
+Git users e.g. by hiding crucial information.
+
+Therefore we can have both: Continue to allow ANSI coloring sequences to
+be passed to the terminal, and neutralize all other ANSI escape
+sequences.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+sideband: default to allowControlCharacters=true
+
+We don't want to change the default Git behaviour, just add the option
+to filter control characters.
+
+Signed-off-by: Ondřej Pohořelský <opohorel@redhat.com>
+---
+ Documentation/config.adoc           |  2 +
+ Documentation/config/sideband.adoc  | 16 ++++++
+ sideband.c                          | 78 ++++++++++++++++++++++++++++-
+ t/t5409-colorize-remote-messages.sh | 31 ++++++++++++
+ 4 files changed, 125 insertions(+), 2 deletions(-)
+ create mode 100644 Documentation/config/sideband.adoc
+
+diff --git a/Documentation/config.adoc b/Documentation/config.adoc
+index 62eebe7c54..dcea3c0c15 100644
+--- a/Documentation/config.adoc
+++ b/Documentation/config.adoc
+@@ -523,6 +523,8 @@ include::config/sequencer.adoc[]
+ 
+ include::config/showbranch.adoc[]
+ 
+include::config/sideband.adoc[]
+
+ include::config/sparse.adoc[]
+ 
+ include::config/splitindex.adoc[]
+diff --git a/Documentation/config/sideband.adoc b/Documentation/config/sideband.adoc
+new file mode 100644
+index 0000000000..c9ba24a02c
+--- /dev/null
+++ b/Documentation/config/sideband.adoc
+@@ -0,0 +1,16 @@
+sideband.allowControlCharacters::
+	By default, control characters that are delivered via the sideband
+	are NOT masked. Use this config setting to prevent potentially
+	unwanted ANSI escape sequences from being sent to the terminal:
++
+--
+	color::
+		Allow ANSI color sequences, line feeds and horizontal tabs,
+		but mask all other control characters.
+	false::
+		Mask all control characters other than line feeds and
+		horizontal tabs.
+	true::
+		Allow all control characters to be sent to the terminal.
+		This is the default.
+--
+\ No newline at end of file
+diff --git a/sideband.c b/sideband.c
+index ea7c25211e..88d1b44a7a 100644
+--- a/sideband.c
+++ b/sideband.c
+@@ -26,6 +26,12 @@ static struct keyword_entry keywords[] = {
+ 	{ "error",	GIT_COLOR_BOLD_RED },
+ };
+ 
+static enum {
+	ALLOW_NO_CONTROL_CHARACTERS = 0,
+	ALLOW_ALL_CONTROL_CHARACTERS = 1,
+	ALLOW_ANSI_COLOR_SEQUENCES = 2
+} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
+
+ /* Returns a color setting (GIT_COLOR_NEVER, etc). */
+ static enum git_colorbool use_sideband_colors(void)
+ {
+@@ -39,6 +45,25 @@ static enum git_colorbool use_sideband_colors(void)
+ 	if (use_sideband_colors_cached != GIT_COLOR_UNKNOWN)
+ 		return use_sideband_colors_cached;
+ 
+	switch (repo_config_get_maybe_bool(the_repository, "sideband.allowcontrolcharacters", &i)) {
+	case 0: /* Boolean value */
+		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
+			ALLOW_NO_CONTROL_CHARACTERS;
+		break;
+	case -1: /* non-Boolean value */
+		if (repo_config_get_string_tmp(the_repository, "sideband.allowcontrolcharacters",
+					      &value))
+			; /* huh? `get_maybe_bool()` returned -1 */
+		else if (!strcmp(value, "color"))
+			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
+		else
+			warning(_("unrecognized value for `sideband."
+				  "allowControlCharacters`: '%s'"), value);
+		break;
+	default:
+		break; /* not configured */
+	}
+
+ 	if (!repo_config_get_string_tmp(the_repository, key, &value))
+ 		use_sideband_colors_cached = git_config_colorbool(key, value);
+ 	else if (!repo_config_get_string_tmp(the_repository, "color.ui", &value))
+@@ -66,6 +91,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
+ 		list_config_item(list, prefix, keywords[i].keyword);
+ }
+ 
+static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
+{
+	int i;
+
+	/*
+	 * Valid ANSI color sequences are of the form
+	 *
+	 * ESC [ [<n> [; <n>]*] m
+	 */
+
+	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
+	    n < 3 || src[0] != '\x1b' || src[1] != '[')
+		return 0;
+
+	for (i = 2; i < n; i++) {
+		if (src[i] == 'm') {
+			strbuf_add(dest, src, i + 1);
+			return i;
+		}
+		if (!isdigit(src[i]) && src[i] != ';')
+			break;
+	}
+
+	return 0;
+}
+
+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
+{
+	int i;
+
+	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
+		strbuf_add(dest, src, n);
+		return;
+	}
+
+	strbuf_grow(dest, n);
+	for (; n && *src; src++, n--) {
+		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
+			strbuf_addch(dest, *src);
+		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
+			src += i;
+			n -= i;
+		} else {
+			strbuf_addch(dest, '^');
+			strbuf_addch(dest, 0x40 + *src);
+		}
+	}
+}
+
+ /*
+  * Optionally highlight one keyword in remote output if it appears at the start
+  * of the line. This should be called for a single line only, which is
+@@ -81,7 +155,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
+ 	int i;
+ 
+ 	if (!want_color_stderr(use_sideband_colors())) {
+-		strbuf_add(dest, src, n);
+		strbuf_add_sanitized(dest, src, n);
+ 		return;
+ 	}
+ 
+@@ -114,7 +188,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
+ 		}
+ 	}
+ 
+-	strbuf_add(dest, src, n);
+	strbuf_add_sanitized(dest, src, n);
+ }
+ 
+ 
+diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
+index fa5de4500a..2d40d8c640 100755
+--- a/t/t5409-colorize-remote-messages.sh
+++ b/t/t5409-colorize-remote-messages.sh
+@@ -98,4 +98,35 @@ test_expect_success 'fallback to color.ui' '
+ 	grep "<BOLD;RED>error<RESET>: error" decoded
+ '
+ 
+test_expect_success 'disallow (color) control sequences in sideband' '
+	write_script .git/color-me-surprised <<-\EOF &&
+	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
+	exec "$@"
+	EOF
+	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
+	test_commit need-at-least-one-commit &&
+
+	git -c sideband.allowControlCharacters=color \
+		clone --no-local . throw-away 2>stderr &&
+	test_decode_color <stderr >decoded &&
+	test_grep RED decoded &&
+	test_grep "\\^G" stderr &&
+	tr -dc "\\007" <stderr >actual &&
+	test_must_be_empty actual &&
+
+	rm -rf throw-away &&
+	git -c sideband.allowControlCharacters=false \
+		clone --no-local . throw-away 2>stderr &&
+	test_decode_color <stderr >decoded &&
+	test_grep ! RED decoded &&
+	test_grep "\\^G" stderr &&
+
+	rm -rf throw-away &&
+	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
+	test_decode_color <stderr >decoded &&
+	test_grep RED decoded &&
+	tr -dc "\\007" <stderr >actual &&
+	test_file_not_empty actual
+'
+
+ test_done
+-- 
+2.51.1
+
--- a/git.spec
+++ b/git.spec
@ -6,13 +6,6 @@

 %global gitexecdir          %{_libexecdir}/git-core

-# Settings for Fedora >= 34
-%if 0%{?fedora} >= 34
-%bcond_with                 emacs
-%else
-%bcond_without              emacs
-%endif
-
 # Settings for Fedora
 %if 0%{?fedora}
 # linkchecker is not available on EL
@ -99,7 +92,7 @@
 #global rcrev   .rc0

 Name:           git
-Version:        2.47.3
+Version:        2.52.0
 Release:        1%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@ -133,7 +126,7 @@ Source99:       print-failed-test-output
 Patch0:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch

 # https://bugzilla.redhat.com/1956345
-Patch1:         git-2.43.0-core-crypto-hmac.patch
+Patch1:         git-2.52-core-crypto-hmac.patch

 # https://bugzilla.redhat.com/2114531
 # tests: try harder to find open ports for apache, git, and svn
@ -149,8 +142,8 @@ Patch4:         0003-t-lib-git-svn-try-harder-to-find-a-port.patch
 # CVE-2024-52005 wasn't fixed by upstream. This patch adds the option to harden Git against it.
 # The default behaviour of Git remains unchanged.
 #
-# https://github.com/gitgitgadget/git/pull/1853 
-Patch5:         git-2.47-sanitize-sideband-channel-messages.patch
+# https://github.com/gitgitgadget/git/pull/1853
+Patch6:         git-2.52-sanitize-sideband-channel-messages.patch

 %if %{with docs}
 # pod2man is needed to build Git.3pm
@ -172,10 +165,6 @@ BuildRequires:  linkchecker
 # endif with docs
 BuildRequires:  desktop-file-utils
 BuildRequires:  diffutils
-%if %{with emacs}
-BuildRequires:  emacs-common
-%endif
-# endif emacs-common
 %if 0%{?rhel} && 0%{?rhel} < 9
 # Require epel-rpm-macros for the %%gpgverify macro on EL-7/EL-8, and
 # %%build_cflags & %%build_ldflags on EL-7.
@ -307,17 +296,6 @@ Requires:       perl(Term::ReadKey)
 # endif ! defined perl_bootstrap
 Requires:       perl-Git = %{version}-%{release}

-%if %{with emacs} && %{emacs_filesystem} && %{defined _emacs_version}
-Requires:       emacs-filesystem >= %{_emacs_version}
-%endif
-# endif with emacs && emacs_filesystem
-
-# Obsolete emacs-git if it's disabled
-%if %{without emacs}
-Obsoletes:      emacs-git < %{?epoch:%{epoch}:}%{version}-%{release}
-%endif
-# endif without emacs
-
 # Obsolete git-cvs if it's disabled
 %if %{without cvs}
 Obsoletes:      git-cvs < %{?epoch:%{epoch}:}%{version}-%{release}
@ -572,7 +550,9 @@ xz -dc '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1
 install -p -m 755 %{SOURCE99} print-failed-test-output

 # Remove git-archimport from command list
+sed -i '/^SCRIPT_PERL += git-archimport\.perl$/d' Makefile
 sed -i '/^git-archimport/d' command-list.txt
+rm git-archimport.perl Documentation/git-archimport.adoc

 %if %{without cvs}
 # Remove git-cvs* from command list
@ -642,6 +622,9 @@ chmod +x %{__perl_requires}
 %endif
 # endif use_new_rpm_filters

+# Exclude sample hook files from automatic dependency detection
+%global __requires_exclude_from ^%{_datadir}/git-core/templates/hooks/.*sample$
+
 # Remove Git::LoadCPAN to ensure we use only system perl modules.  This also
 # allows the dependencies to be automatically processed by rpm.
 rm -rf perl/Git/LoadCPAN{.pm,/}
@ -653,7 +636,7 @@ sed -i 's@"++GITWEB_HOME_LINK_STR++"@$ENV{"SERVER_NAME"} ? "git://" . $ENV{"SERV

 # Move contrib/{contacts,subtree} docs to Documentation so they build with the
 # proper asciidoc/docbook/xmlto options
-mv contrib/{contacts,subtree}/git-*.txt Documentation/
+mv contrib/{contacts,subtree}/git-*.adoc Documentation/

 %build
 # Improve build reproducibility
@ -690,19 +673,6 @@ rm -rf contrib/fast-import/import-zips.py

 %make_install -C contrib/contacts

-%if %{with emacs}
-%global elispdir %{_emacs_sitelispdir}/git
-pushd contrib/emacs >/dev/null
-for el in *.el ; do
-    # Note: No byte-compiling is done.  These .el files are one-line stubs
-    # which only serve to point users to better alternatives.
-    install -Dpm 644 $el %{buildroot}%{elispdir}/$el
-    rm -f $el # clean up to avoid cruft in git-core-doc
-done
-popd >/dev/null
-%endif
-# endif with emacs
-
 %if %{with libsecret}
 install -pm 755 contrib/credential/libsecret/git-credential-libsecret \
    %{buildroot}%{gitexecdir}
@ -792,13 +762,6 @@ mkdir -p %{buildroot}%{_datadir}/git-core/contrib/completion
 install -pm 644 contrib/completion/git-completion.tcsh \
    %{buildroot}%{_datadir}/git-core/contrib/completion/

-# Move contrib/hooks out of %%docdir
-mkdir -p %{buildroot}%{_datadir}/git-core/contrib
-mv contrib/hooks %{buildroot}%{_datadir}/git-core/contrib
-pushd contrib > /dev/null
-ln -s ../../../git-core/contrib/hooks
-popd > /dev/null
-
 # Install git-prompt.sh
 mkdir -p %{buildroot}%{_datadir}/git-core/contrib/completion
 install -pm 644 contrib/completion/git-prompt.sh \
@ -841,7 +804,7 @@ grep -E  "$not_core_re" bin-man-doc-files > bin-man-doc-git-files
 # contrib
 not_core_doc_re="(git-(cvs|gui|citool|daemon|instaweb|subtree))|p4|svn|email|gitk|gitweb"
 mkdir -p %{buildroot}%{_pkgdocdir}/
-cp -pr CODE_OF_CONDUCT.md README.md Documentation/*.txt Documentation/RelNotes contrib %{buildroot}%{_pkgdocdir}/
+cp -pr CODE_OF_CONDUCT.md README.md Documentation/*.adoc Documentation/RelNotes contrib %{buildroot}%{_pkgdocdir}/
 # Remove contrib/ files/dirs which have nothing useful for documentation
 rm -rf %{buildroot}%{_pkgdocdir}/contrib/{contacts,credential}/
 cp -p gitweb/INSTALL %{buildroot}%{_pkgdocdir}/INSTALL.gitweb
@ -939,6 +902,17 @@ GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5003.81"
 %endif
 # endif rhel == 9 && arch == s390x

+%if "%{_arch}" == "s390x"
+# Skip tests which fail on s390x
+#
+# The following tests are failing on s390x.
+# https://lore.kernel.org/git/4dc4c8cd-c0cc-4784-8fcf-defa3a051087@mit.edu/
+#
+# t8020.16 'cross merge boundaries in blaming'
+# t8020.19 'last-modified merge undoes changes'
+GIT_SKIP_TESTS="$GIT_SKIP_TESTS t8020.16 t8020.19"
+%endif
+# endif "%{_arch}" == "s390x"
 export GIT_SKIP_TESTS

 # Set LANG so various UTF-8 tests are run
@ -986,16 +960,7 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 # endif use_systemd

 %files -f bin-man-doc-git-files
-%if %{with emacs} && %{emacs_filesystem}
-%{elispdir}
-%endif
-# endif with emacs && emacs_filesystem
 %{_datadir}/git-core/contrib/diff-highlight
-%{_datadir}/git-core/contrib/hooks/update-paranoid
-%{_datadir}/git-core/contrib/hooks/setgitperms.perl
-%{_datadir}/git-core/templates/hooks/fsmonitor-watchman.sample
-%{_datadir}/git-core/templates/hooks/pre-rebase.sample
-%{_datadir}/git-core/templates/hooks/prepare-commit-msg.sample

 %files all
 # No files for you!
@ -1007,11 +972,6 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %license COPYING
 # exclude is best way here because of troubles with symlinks inside git-core/
 %exclude %{_datadir}/git-core/contrib/diff-highlight
-%exclude %{_datadir}/git-core/contrib/hooks/update-paranoid
-%exclude %{_datadir}/git-core/contrib/hooks/setgitperms.perl
-%exclude %{_datadir}/git-core/templates/hooks/fsmonitor-watchman.sample
-%exclude %{_datadir}/git-core/templates/hooks/pre-rebase.sample
-%exclude %{_datadir}/git-core/templates/hooks/prepare-commit-msg.sample
 %{bashcomproot}
 %{_datadir}/git-core/

@ -1021,7 +981,6 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %exclude %{_pkgdocdir}/contrib/*/*.py[co]
 %endif
 # endif rhel <= 7
-%{_pkgdocdir}/contrib/hooks

 %if %{with libsecret}
 %files credential-libsecret
@ -1032,7 +991,7 @@ rmdir --ignore-fail-on-non-empty "$testdir"

 %if %{with cvs}
 %files cvs
-%{_pkgdocdir}/*git-cvs*.txt
+%{_pkgdocdir}/*git-cvs*.adoc
 %{_bindir}/git-cvsserver
 %{gitexecdir}/*cvs*
 %{?with_docs:%{_mandir}/man1/*cvs*.1*}
@ -1041,7 +1000,7 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 # endif with cvs

 %files daemon
-%{_pkgdocdir}/git-daemon*.txt
+%{_pkgdocdir}/git-daemon*.adoc
 %if %{use_systemd}
 %{_unitdir}/git.socket
 %config(noreplace) %{_unitdir}/git@.service
@ -1062,13 +1021,13 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 # endif with emacs && ! emacs_filesystem

 %files email
-%{_pkgdocdir}/*email*.txt
+%{_pkgdocdir}/*email*.adoc
 %{gitexecdir}/*email*
 %{?with_docs:%{_mandir}/man1/*email*.1*}
 %{?with_docs:%{_pkgdocdir}/*email*.html}

 %files -n gitk
-%{_pkgdocdir}/*gitk*.txt
+%{_pkgdocdir}/*gitk*.adoc
 %{_bindir}/*gitk*
 %{_datadir}/gitk
 %{?with_docs:%{_mandir}/man1/*gitk*.1*}
@ -1076,7 +1035,7 @@ rmdir --ignore-fail-on-non-empty "$testdir"

 %files -n gitweb
 %{_pkgdocdir}/*.gitweb
-%{_pkgdocdir}/gitweb*.txt
+%{_pkgdocdir}/gitweb*.adoc
 %{?with_docs:%{_mandir}/man1/gitweb.1*}
 %{?with_docs:%{_mandir}/man5/gitweb.conf.5*}
 %{?with_docs:%{_pkgdocdir}/gitweb*.html}
@ -1089,8 +1048,8 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{gitexecdir}/git-citool
 %{_datadir}/applications/*git-gui.desktop
 %{_datadir}/git-gui/
-%{_pkgdocdir}/git-gui.txt
-%{_pkgdocdir}/git-citool.txt
+%{_pkgdocdir}/git-gui.adoc
+%{_pkgdocdir}/git-citool.adoc
 %{?with_docs:%{_mandir}/man1/git-gui.1*}
 %{?with_docs:%{_pkgdocdir}/git-gui.html}
 %{?with_docs:%{_mandir}/man1/git-citool.1*}
@ -1099,7 +1058,7 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %files instaweb
 %defattr(-,root,root)
 %{gitexecdir}/git-instaweb
-%{_pkgdocdir}/git-instaweb.txt
+%{_pkgdocdir}/git-instaweb.adoc
 %{?with_docs:%{_mandir}/man1/git-instaweb.1*}
 %{?with_docs:%{_pkgdocdir}/git-instaweb.html}

@ -1107,7 +1066,7 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %files p4
 %{gitexecdir}/*p4*
 %{gitexecdir}/mergetools/p4merge
-%{_pkgdocdir}/*p4*.txt
+%{_pkgdocdir}/*p4*.adoc
 %{?with_docs:%{_mandir}/man1/*p4*.1*}
 %{?with_docs:%{_pkgdocdir}/*p4*.html}
 %endif
@ -1120,17 +1079,21 @@ rmdir --ignore-fail-on-non-empty "$testdir"

 %files subtree
 %{gitexecdir}/git-subtree
-%{_pkgdocdir}/git-subtree.txt
+%{_pkgdocdir}/git-subtree.adoc
 %{?with_docs:%{_mandir}/man1/git-subtree.1*}
 %{?with_docs:%{_pkgdocdir}/git-subtree.html}

 %files svn
 %{gitexecdir}/git-svn
-%{_pkgdocdir}/git-svn.txt
+%{_pkgdocdir}/git-svn.adoc
 %{?with_docs:%{_mandir}/man1/git-svn.1*}
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Fri Jan 09 2026 Ondřej Pohořelský <opohorel@redhat.com> - 2.52.0-1
+- update to 2.52.0
+- Resolves: RHEL-118147
+
 * Thu Jul 10 2025 Ondřej Pohořelský <opohorel@redhat.com> - 2.47.3-1
 - update to 2.47.3
 - Resolves: RHEL-102449, RHEL-102463, RHEL-102675, RHEL-102681
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.47.3.tar.xz) = 9c0e1e42e3bc10eb912c1ca9737d55b2e5d994f56825fa659d6cf5cbec220c67cc9aa3217fc136ae28c90c0b4969cff3661dc92ed6e2774f7432170f1d9e2a55
-SHA512 (git-2.47.3.tar.sign) = 6d9b51346077a080bf581da2cb56ddc353aa8b58cdb5f34563681bdc90c513742812b2a6c8585f10472d220cd8be7448839d038f92167277aa131459977d9bcf
+SHA512 (git-2.52.0.tar.xz) = 965e5ebb72d1f080d64e34bdb75f0bb1689c9dd41dcf63b020d986bad49808ac09bfb1115962bc0c5b95bac8622367ac4cd09aa89266f73d2137fe94c90dd3ed
+SHA512 (git-2.52.0.tar.sign) = a5a68ce131a5763650c477ec01a4de958dd6a946bdea0f613e26bdab41d2df6b3ca63f9028bbe603bf0c834bd415c86e6c616b1ff08cc48aa7c3c61a37b24b74