diff --git a/.git.metadata b/.git.metadata index a01d0b6..8591086 100644 --- a/.git.metadata +++ b/.git.metadata @@ -1,2 +1,2 @@ -7577a22e233e892dba5cf19a3a57cef2062d01e6 SOURCES/git-2.43.5.tar.sign -31decef72034ae36c8098a9e6bb13a7dd4859fd9 SOURCES/git-2.43.5.tar.xz +6ee94f976a315b7897a6e663d8e6e97283ff5adb SOURCES/git-2.47.1.tar.sign +63654fcfa1604c7470bcc9c4e2d1cdba218a8bc3 SOURCES/git-2.47.1.tar.xz diff --git a/.gitignore b/.gitignore index dc23a3b..86be50f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/git-2.43.5.tar.sign -SOURCES/git-2.43.5.tar.xz +SOURCES/git-2.47.1.tar.sign +SOURCES/git-2.47.1.tar.xz diff --git a/SOURCES/git-2.43.5-slow-shallow-clones.patch b/SOURCES/git-2.43.5-slow-shallow-clones.patch deleted file mode 100644 index 6d1779d..0000000 --- a/SOURCES/git-2.43.5-slow-shallow-clones.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 51441e6460b505c07b4a8a6deeaa7de4bf6e8e33 Mon Sep 17 00:00:00 2001 -From: Junio C Hamano -Date: Fri, 3 May 2024 08:34:27 -0700 -Subject: [PATCH] stop using HEAD for attributes in bare repository by default - -With 23865355 (attr: read attributes from HEAD when bare repo, -2023-10-13), we started to use the HEAD tree as the default -attribute source in a bare repository. One argument for such a -behaviour is that it would make things like "git archive" run in -bare and non-bare repositories for the same commit consistent. -This changes was merged to Git 2.43 but without an explicit mention -in its release notes. - -It turns out that this change destroys performance of shallowly -cloning from a bare repository. As the "server" installations are -expected to be mostly bare, and "git pack-objects", which is the -core of driving the other side of "git clone" and "git fetch" wants -to see if a path is set not to delta with blobs from other paths via -the attribute system, the change forces the server side to traverse -the tree of the HEAD commit needlessly to find if each and every -paths the objects it sends out has the attribute that controls the -deltification. Given that (1) most projects do not configure such -an attribute, and (2) it is dubious for the server side to honor -such an end-user supplied attribute anyway, this was a poor choice -of the default. - -To mitigate the current situation, let's revert the change that uses -the tree of HEAD in a bare repository by default as the attribute -source. This will help most people who have been happy with the -behaviour of Git 2.42 and before. - -Two things to note: - - * If you are stuck with versions of Git 2.43 or newer, that is - older than the release this fix appears in, you can explicitly - set the attr.tree configuration variable to point at an empty - tree object, i.e. - - $ git config attr.tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904 - - * If you like the behaviour we are reverting, you can explicitly - set the attr.tree configuration variable to HEAD, i.e. - - $ git config attr.tree HEAD - -The right fix for this is to optimize the code paths that allow -accesses to attributes in tree objects, but that is a much more -involved change and is left as a longer-term project, outside the -scope of this "first step" fix. - -Signed-off-by: Junio C Hamano ---- - attr.c | 7 ------- - t/t0003-attributes.sh | 10 ++++++++-- - t/t5001-archive-attr.sh | 3 ++- - 3 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/attr.c b/attr.c -index e62876dfd3e9be..02ab8436266289 100644 ---- a/attr.c -+++ b/attr.c -@@ -1213,13 +1213,6 @@ static void compute_default_attr_source(struct object_id *attr_source) - ignore_bad_attr_tree = 1; - } - -- if (!default_attr_source_tree_object_name && -- startup_info->have_repository && -- is_bare_repository()) { -- default_attr_source_tree_object_name = "HEAD"; -- ignore_bad_attr_tree = 1; -- } -- - if (!default_attr_source_tree_object_name || !is_null_oid(attr_source)) - return; - -diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh -index aee2298f01331a..5de46ddf67f7ff 100755 ---- a/t/t0003-attributes.sh -+++ b/t/t0003-attributes.sh -@@ -384,13 +384,19 @@ test_expect_success 'bad attr source defaults to reading .gitattributes file' ' - ) - ' - --test_expect_success 'bare repo defaults to reading .gitattributes from HEAD' ' -+test_expect_success 'bare repo no longer defaults to reading .gitattributes from HEAD' ' - test_when_finished rm -rf test bare_with_gitattribute && - git init test && - test_commit -C test gitattributes .gitattributes "f/path test=val" && - git clone --bare test bare_with_gitattribute && -- echo "f/path: test: val" >expect && -+ -+ echo "f/path: test: unspecified" >expect && - git -C bare_with_gitattribute check-attr test -- f/path >actual && -+ test_cmp expect actual && -+ -+ echo "f/path: test: val" >expect && -+ git -C bare_with_gitattribute -c attr.tree=HEAD \ -+ check-attr test -- f/path >actual && - test_cmp expect actual - ' - -diff --git a/t/t5001-archive-attr.sh b/t/t5001-archive-attr.sh -index eaf959d8f63f15..7310774af5efea 100755 ---- a/t/t5001-archive-attr.sh -+++ b/t/t5001-archive-attr.sh -@@ -133,7 +133,8 @@ test_expect_success 'git archive vs. bare' ' - ' - - test_expect_success 'git archive with worktree attributes, bare' ' -- (cd bare && git archive --worktree-attributes HEAD) >bare-worktree.tar && -+ (cd bare && -+ git -c attr.tree=HEAD archive --worktree-attributes HEAD) >bare-worktree.tar && - (mkdir bare-worktree && cd bare-worktree && "$TAR" xf -) +Date: Fri, 28 Mar 2025 13:26:29 +0100 +Subject: [PATCH] Adds the option to sanitize sideband channel messages + +CVE-2024-52005 wasn't fixed by upstream. This patch adds the option +to harden Git against it. +The default behaviour of Git remains unchanged. + +Changes are taken from Git for Windows. The only differences are that +by default we are allowing all control characters, the documentation +reflects it and one of the tests has to be invoked with a config +change: `sideband.allowControlCharacters=color` + +These commits can also be seen in this upstream PR: +https://github.com/gitgitgadget/git/pull/1853 +--- + Documentation/config.txt | 2 + + Documentation/config/sideband.txt | 16 ++++++ + sideband.c | 78 ++++++++++++++++++++++++++++- + t/t5409-colorize-remote-messages.sh | 30 +++++++++++ + 4 files changed, 124 insertions(+), 2 deletions(-) + create mode 100644 Documentation/config/sideband.txt + +diff --git a/Documentation/config.txt b/Documentation/config.txt +index 8c0b3ed807..48870bb588 100644 +--- a/Documentation/config.txt ++++ b/Documentation/config.txt +@@ -522,6 +522,8 @@ include::config/sequencer.txt[] + + include::config/showbranch.txt[] + ++include::config/sideband.txt[] ++ + include::config/sparse.txt[] + + include::config/splitindex.txt[] +diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt +new file mode 100644 +index 0000000000..1adc831667 +--- /dev/null ++++ b/Documentation/config/sideband.txt +@@ -0,0 +1,16 @@ ++sideband.allowControlCharacters:: ++ By default, control characters that are delivered via the sideband ++ are NOT masked. Use this config setting to prevent potentially ++ unwanted ANSI escape sequences from being sent to the terminal: +++ ++-- ++ color:: ++ Allow ANSI color sequences, line feeds and horizontal tabs, ++ but mask all other control characters. ++ false:: ++ Mask all control characters other than line feeds and ++ horizontal tabs. ++ true:: ++ Allow all control characters to be sent to the terminal. ++ This is the default. ++-- +\ No newline at end of file +diff --git a/sideband.c b/sideband.c +index 02805573fa..7a0ca61948 100644 +--- a/sideband.c ++++ b/sideband.c +@@ -25,6 +25,12 @@ static struct keyword_entry keywords[] = { + { "error", GIT_COLOR_BOLD_RED }, + }; + ++static enum { ++ ALLOW_NO_CONTROL_CHARACTERS = 0, ++ ALLOW_ALL_CONTROL_CHARACTERS = 1, ++ ALLOW_ANSI_COLOR_SEQUENCES = 2 ++} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS; ++ + /* Returns a color setting (GIT_COLOR_NEVER, etc). */ + static int use_sideband_colors(void) + { +@@ -38,6 +44,25 @@ static int use_sideband_colors(void) + if (use_sideband_colors_cached >= 0) + return use_sideband_colors_cached; + ++ switch (git_config_get_maybe_bool("sideband.allowcontrolcharacters", &i)) { ++ case 0: /* Boolean value */ ++ allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS : ++ ALLOW_NO_CONTROL_CHARACTERS; ++ break; ++ case -1: /* non-Boolean value */ ++ if (git_config_get_string_tmp("sideband.allowcontrolcharacters", ++ &value)) ++ ; /* huh? `get_maybe_bool()` returned -1 */ ++ else if (!strcmp(value, "color")) ++ allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES; ++ else ++ warning(_("unrecognized value for `sideband." ++ "allowControlCharacters`: '%s'"), value); ++ break; ++ default: ++ break; /* not configured */ ++ } ++ + if (!git_config_get_string_tmp(key, &value)) + use_sideband_colors_cached = git_config_colorbool(key, value); + else if (!git_config_get_string_tmp("color.ui", &value)) +@@ -65,6 +90,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref + list_config_item(list, prefix, keywords[i].keyword); + } + ++static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n) ++{ ++ int i; ++ ++ /* ++ * Valid ANSI color sequences are of the form ++ * ++ * ESC [ [ [; ]*] m ++ */ ++ ++ if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES || ++ n < 3 || src[0] != '\x1b' || src[1] != '[') ++ return 0; ++ ++ for (i = 2; i < n; i++) { ++ if (src[i] == 'm') { ++ strbuf_add(dest, src, i + 1); ++ return i; ++ } ++ if (!isdigit(src[i]) && src[i] != ';') ++ break; ++ } ++ ++ return 0; ++} ++ ++static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n) ++{ ++ int i; ++ ++ if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) { ++ strbuf_add(dest, src, n); ++ return; ++ } ++ ++ strbuf_grow(dest, n); ++ for (; n && *src; src++, n--) { ++ if (!iscntrl(*src) || *src == '\t' || *src == '\n') ++ strbuf_addch(dest, *src); ++ else if ((i = handle_ansi_color_sequence(dest, src, n))) { ++ src += i; ++ n -= i; ++ } else { ++ strbuf_addch(dest, '^'); ++ strbuf_addch(dest, 0x40 + *src); ++ } ++ } ++} ++ + /* + * Optionally highlight one keyword in remote output if it appears at the start + * of the line. This should be called for a single line only, which is +@@ -80,7 +154,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n) + int i; + + if (!want_color_stderr(use_sideband_colors())) { +- strbuf_add(dest, src, n); ++ strbuf_add_sanitized(dest, src, n); + return; + } + +@@ -113,7 +187,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n) + } + } + +- strbuf_add(dest, src, n); ++ strbuf_add_sanitized(dest, src, n); + } + + +diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh +index 516b22fd96..48f8413eff 100755 +--- a/t/t5409-colorize-remote-messages.sh ++++ b/t/t5409-colorize-remote-messages.sh +@@ -99,4 +99,34 @@ test_expect_success 'fallback to color.ui' ' + grep "error: error" decoded + ' + ++test_expect_success 'disallow (color) control sequences in sideband' ' ++ write_script .git/color-me-surprised <<-\EOF && ++ printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2 ++ exec "$@" ++ EOF ++ test_config_global uploadPack.packObjectshook ./color-me-surprised && ++ test_commit need-at-least-one-commit && ++ git -c sideband.allowControlCharacters=color \ ++ clone --no-local . throw-away 2>stderr && ++ test_decode_color decoded && ++ test_grep RED decoded && ++ test_grep "\\^G" stderr && ++ tr -dc "\\007" actual && ++ test_must_be_empty actual && ++ ++ rm -rf throw-away && ++ git -c sideband.allowControlCharacters=false \ ++ clone --no-local . throw-away 2>stderr && ++ test_decode_color decoded && ++ test_grep ! RED decoded && ++ test_grep "\\^G" stderr && ++ ++ rm -rf throw-away && ++ git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr && ++ test_decode_color decoded && ++ test_grep RED decoded && ++ tr -dc "\\007" actual && ++ test_file_not_empty actual ++' ++ + test_done +-- +2.49.0 + diff --git a/SPECS/git.spec b/SPECS/git.spec index b9381e9..11b99f5 100644 --- a/SPECS/git.spec +++ b/SPECS/git.spec @@ -99,8 +99,8 @@ #global rcrev .rc0 Name: git -Version: 2.43.5 -Release: 2%{?rcrev}%{?dist} +Version: 2.47.1 +Release: 2%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -145,10 +145,12 @@ Patch3: 0002-t-lib-git-daemon-try-harder-to-find-a-port.patch # https://github.com/tmzullinger/git/commit/aa5105dc11 Patch4: 0003-t-lib-git-svn-try-harder-to-find-a-port.patch -# attr: read attributes from HEAD when bare repo +# Adds the option to sanitize sideband channel messages +# CVE-2024-52005 wasn't fixed by upstream. This patch adds the option to harden Git against it. +# The default behaviour of Git remains unchanged. # -# https://github.com/git/git/commit/2386535511d1181afd4e892e2a866ffe5e1d7d21 -Patch5: git-2.43.5-slow-shallow-clones.patch +# https://github.com/gitgitgadget/git/pull/1853 +Patch5: git-2.47-sanitize-sideband-channel-messages.patch %if %{with docs} # pod2man is needed to build Git.3pm @@ -683,13 +685,6 @@ rm -rf contrib/fast-import/import-zips.py %endif # endif with python2 -# Use python3 to avoid an unnecessary python2 dependency, if possible. -%if %{with python3} -sed -i -e '1s@#!\( */usr/bin/env python\|%{__python2}\)$@#!%{__python3}@' \ - contrib/hg-to-git/hg-to-git.py -%endif -# endif with python3 - %install %make_install %{?with_docs:install-doc} @@ -931,6 +926,19 @@ GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5300.1[02348] t5300.2[03459] t5300.30 t5300.4[5 %endif # endif rhel == 8 && arch == s390x +%if 0%{?rhel} == 9 && "%{_arch}" == "s390x" +# Skip tests which fail on s390x on rhel-9 +# +# The following tests fail on s390x & el9. The cause should be investigated. +# However, it's a lower priority since the same tests work consistently on +# s390x with Fedora and RHEL-10. +# +# t5003.81 'archive remote http repository' + +GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5003.81" +%endif +# endif rhel == 9 && arch == s390x + export GIT_SKIP_TESTS # Set LANG so various UTF-8 tests are run @@ -1036,7 +1044,7 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{_pkgdocdir}/git-daemon*.txt %if %{use_systemd} %{_unitdir}/git.socket -%{_unitdir}/git@.service +%config(noreplace) %{_unitdir}/git@.service %else %config(noreplace)%{_sysconfdir}/xinetd.d/git %endif @@ -1123,9 +1131,13 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog -* Thu Nov 14 2024 Ondřej Pohořelský - 2.43.5-2 -- Add fix for extremely slow shallow clones -- Resolves: RHEL-67118 +* Mon Mar 31 2025 Ondřej Pohořelský - 2.47.1-2 +- add the option to sanitize sideband channel messages +- Resolves: RHEL-84513 + +* Thu Nov 28 2024 Ondřej Pohořelský - 2.47.1-1 +- update to 2.47.1 +- Resolves: RHEL-63964 * Thu Jun 27 2024 Ondřej Pohořelský - 2.43.5-1 - Update to 2.43.5