From 9a5cabc9ef558a2285b3a81e0af4a34cd62ddfd8 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Tue, 29 May 2018 13:08:24 -0400
Subject: [PATCH] Update to 2.17.1 (CVE-2018-11233, CVE-2018-11235)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes two security issues, described in the 2.13.7 release notes¹:

 * Submodule "names" come from the untrusted .gitmodules file, but we
   blindly append them to $GIT_DIR/modules to create our on-disk repo
   paths. This means you can do bad things by putting "../" into the
   name. We now enforce some rules for submodule names which will cause
   Git to ignore these malicious names (CVE-2018-11235).

   Credit for finding this vulnerability and the proof of concept from
   which the test script was adapted goes to Etienne Stalmans.

 * It was possible to trick the code that sanity-checks paths on NTFS
   into reading random piece of memory (CVE-2018-11233).

¹ https://mirrors.edge.kernel.org/pub/software/scm/git/docs/RelNotes/2.13.7.txt
---
 git.spec | 7 +++++--
 sources  | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/git.spec b/git.spec
index 4652728..ebced47 100644
--- a/git.spec
+++ b/git.spec
@@ -82,8 +82,8 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.17.0
-Release:        4%{?rcrev}%{?dist}
+Version:        2.17.1
+Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@@ -887,6 +887,9 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Tue May 29 2018 Todd Zullinger <tmz@pobox.com> - 2.17.1-1
+- Update to 2.17.1 (CVE-2018-11233, CVE-2018-11235)
+
 * Thu May 24 2018 Todd Zullinger <tmz@pobox.com> - 2.17.0-4
 - Fix segfault in rev-parse with invalid input (#1581678)
 - Move TEST_SHELL_PATH setting to config.mak
diff --git a/sources b/sources
index 77a39fe..09e10ec 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.17.0.tar.xz) = dab1c1d5d384b36720abc049a66ba60631e17958b214cfbec467be7adc02e82190e5282554da71797892c16bfe52d65b6244a281f504385083125bcb98ec7ee9
-SHA512 (git-2.17.0.tar.sign) = b86cd002910256976c5c94214ebc0d80ea67f94d110e3fb85802c9ae2edf56e1ccc77a46164986ff5ad4d8efea0ffd73fa487ebb2c55d75d8af5d2f326755237
+SHA512 (git-2.17.1.tar.xz) = 77c27569d40fbae1842130baa0cdda674a02e384631bd8fb1f2ddf67ce372dd4903b2ce6b4283a4ae506cdedd5daa55baa2afe6a6689528511e24e4beb864960
+SHA512 (git-2.17.1.tar.sign) = 90fd436a1df4a154afa36a4aaea8fa447db703ca42197f5f4507c81f96076d5f20006c265506326958f5e0b670b72b11bc37ae4bebbfee0f6ba9d9274cf71017