update to 2.35.0-rc0

Add openssh-clients BuildRequires, for ssh-add. Upstream 350a2518c8 (ssh signing: support non ssh-* keytypes, 2021-11-19), added `ssh-add` as a requirement of t7528-signed-commit-ssh's "sign commits using literal public keys with ssh-agent" test. Replace the openssh BR added in e8896ce (update to 2.34.0, 2021-11-15) with openssh-clients. The latter requires the former. Apply Taylor Blau's patch to fix a use-after-free bug in fmt-merge-msg¹. Add `missing !LONG_IS_64BIT,EXPENSIVE` to git.skip-test-patterns. It is used in t1051-large-conversion after upstream 596b5e77c9 (clean/smudge: allow clean filters to process extremely large files, 2021-11-02). Release notes: https://github.com/git/git/raw/v2.35.0-rc0/Documentation/RelNotes/2.35.0.txt ¹ https://lore.kernel.org/git/CAHk-=whXPxWL7z3GiPkaDt+yygrRmagrYUnib7Lx=Vvrqx2ufg@mail.gmail.com/
2022-01-10 17:49:49 -05:00 · 2022-01-10 17:49:49 -05:00 · ef2bab7f59
commit ef2bab7f59
parent a7d2f7e53e
4 changed files with 213 additions and 7 deletions
--- a/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch
+++ b/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch
@ -0,0 +1,199 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <git-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id 4EF60C433EF
+	for <git@archiver.kernel.org>; Mon, 10 Jan 2022 21:19:15 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1343852AbiAJVTN (ORCPT <rfc822;git@archiver.kernel.org>);
+        Mon, 10 Jan 2022 16:19:13 -0500
+Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45246 "EHLO
+        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S240793AbiAJVTJ (ORCPT <rfc822;git@vger.kernel.org>);
+        Mon, 10 Jan 2022 16:19:09 -0500
+Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32])
+        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D57E9C06173F
+        for <git@vger.kernel.org>; Mon, 10 Jan 2022 13:19:08 -0800 (PST)
+Received: by mail-io1-xd32.google.com with SMTP id h23so19409080iol.11
+        for <git@vger.kernel.org>; Mon, 10 Jan 2022 13:19:08 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=ttaylorr-com.20210112.gappssmtp.com; s=20210112;
+        h=date:from:to:cc:subject:message-id:references:mime-version
+         :content-disposition:in-reply-to;
+        bh=FTrKkNrsW7oFf2weWFjBUCeY4AzPYNFulnRyLyCVrk8=;
+        b=z+XM3REbAP5x9W9gK6pBjzm9BHigJ0mkHwdcjCN9VQSWk7aIMxsxwVauiC4+Y15Py4
+         e4kEWLSahtCS62N2410rXTW5F4IiCjrtU+iZztr+gz2IfLpV70e3CO2WaIRGNPRJm2g0
+         Gl1+Y32Gk2jkmZ7w/ue8yng54F8FHEvg5joJFj19bMoWF0kd16ny2U+SjCfurbJu7Qpm
+         7qMJtWStXIt8SBVaYdqvMjIylr3zDEvOolaSUBxXZYmD51XjQJXFL4DaYTvT6RIRsBZF
+         gcdEfTKQ3MdH7Dr8AbiaERh3vNXQ9oKb1cHL7aodKSAS6/NpSSvKMxmW+7n4yICL7hsM
+         b8pQ==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20210112;
+        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
+         :mime-version:content-disposition:in-reply-to;
+        bh=FTrKkNrsW7oFf2weWFjBUCeY4AzPYNFulnRyLyCVrk8=;
+        b=YyvJy1w+MELo/HMukbimTZO7p+9odhEtnD9F2+GB68WqNtHOSqLj+FNJKrl2cWUWPM
+         Oec5Mop17BPiDQ5du2gbK9mEJMae9wPoqUhJijzgbcfyH8nAHG8XgBD8PYhzcdaKiwZW
+         1/rhWRpyqsAmRKRnXBk+qXOydG6sbeJqYIDiHxHV/MWXzXK8L1tw0TN6x+ovUHJ8tOuu
+         ZStLc+f7IV9gr3soTs3R4sloQluxitDfe4RReEpc0HDcPxG0V91aiT4MxULStqcCqUbz
+         I1S0PJMehkw5RIZvrW8GpPjBGFao6X30hvxBN1Skq/nq1rUbbIwat343WUGUC/LogIAV
+         Wd5A==
+X-Gm-Message-State: AOAM533g0jVnFyUCJsyN7y07jhNAhfATafqgniWHcVni8kH1UQ43T/Cd
+        76bWXlo05ji/88mEupUArvoHr60/63d4qA==
+X-Google-Smtp-Source: ABdhPJwh3a+flp+ajvTa6YBvQY7iqlxqOUdkFKcfZ3ahJTw9JXb3F4kXsRKSfwjHXJ9SQm7cyHyn1Q==
+X-Received: by 2002:a05:6638:3009:: with SMTP id r9mr861119jak.262.1641849548063;
+        Mon, 10 Jan 2022 13:19:08 -0800 (PST)
+Received: from localhost (104-178-186-189.lightspeed.milwwi.sbcglobal.net. [104.178.186.189])
+        by smtp.gmail.com with ESMTPSA id t6sm5035566iov.39.2022.01.10.13.19.07
+        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+        Mon, 10 Jan 2022 13:19:07 -0800 (PST)
+Date:   Mon, 10 Jan 2022 16:19:06 -0500
+From:   Taylor Blau <me@ttaylorr.com>
+To:     git@vger.kernel.org
+Cc:     Junio C Hamano <gitster@pobox.com>,
+        Linus Torvalds <torvalds@linux-foundation.org>,
+        Fabian Stelzer <fs@gigacodes.de>
+Subject: [PATCH] fmt-merge-msg: prevent use-after-free with signed tags
+Message-ID: <6e08b73d602853b3de71257117e85e32b96b5c19.1641849502.git.me@ttaylorr.com>
+References: <YdxqshqXB/+ApOn2@nand.local>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Disposition: inline
+In-Reply-To: <YdxqshqXB/+ApOn2@nand.local>
+Precedence: bulk
+List-ID: <git.vger.kernel.org>
+X-Mailing-List: git@vger.kernel.org
+
+When merging a signed tag, fmt_merge_msg_sigs() is responsible for
+populating the body of the merge message with the names of the signed
+tags, their signatures, and the validity of those signatures.
+
+In 02769437e1 (ssh signing: use sigc struct to pass payload,
+2021-12-09), check_signature() was taught to pass the object payload via
+the sigc struct instead of passing the payload buffer separately.
+
+In effect, 02769437e1 causes buf, and sigc.payload to point at the same
+region in memory. This causes a problem for fmt_tag_signature(), which
+wants to read from this location, since it is freed beforehand by
+signature_check_clear() (which frees it via sigc's `payload` member).
+
+That makes the subsequent use in fmt_tag_signature() a use-after-free.
+
+As a result, merge messages did not contain the body of any signed tags.
+Luckily, they tend not to contain garbage, either, since the result of
+strstr()-ing the object buffer in fmt_tag_signature() is guarded:
+
+    const char *tag_body = strstr(buf, "\n\n");
+    if (tag_body) {
+      tag_body += 2;
+      strbuf_add(tagbuf, tag_body, buf + len - tag_body);
+    }
+
+Unfortunately, the tests in t6200 did not catch this at the time because
+they do not search for the body of signed tags in fmt-merge-msg's
+output.
+
+Resolve this by waiting to call signature_check_clear() until after its
+contents can be safely discarded. Harden ourselves against any future
+regressions in this area by making sure we can find signed tag messages
+in the output of fmt-merge-msg, too.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+---
+ fmt-merge-msg.c          | 2 +-
+ t/t6200-fmt-merge-msg.sh | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fmt-merge-msg.c b/fmt-merge-msg.c
+index e5c0aff2bf..baca57d5b6 100644
+--- a/fmt-merge-msg.c
+++ b/fmt-merge-msg.c
+@@ -541,7 +541,6 @@ static void fmt_merge_msg_sigs(struct strbuf *out)
+ 			else
+ 				strbuf_addstr(&sig, sigc.output);
+ 		}
+-		signature_check_clear(&sigc);
+
+ 		if (!tag_number++) {
+ 			fmt_tag_signature(&tagbuf, &sig, buf, len);
+@@ -565,6 +564,7 @@ static void fmt_merge_msg_sigs(struct strbuf *out)
+ 		}
+ 		strbuf_release(&payload);
+ 		strbuf_release(&sig);
+		signature_check_clear(&sigc);
+ 	next:
+ 		free(origbuf);
+ 	}
+diff --git a/t/t6200-fmt-merge-msg.sh b/t/t6200-fmt-merge-msg.sh
+index 7544245f90..5a221f8ef1 100755
+--- a/t/t6200-fmt-merge-msg.sh
+++ b/t/t6200-fmt-merge-msg.sh
+@@ -126,6 +126,7 @@ test_expect_success GPG 'message for merging local tag signed by good key' '
+ 	git fetch . signed-good-tag &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}signed-good-tag${apos}" actual &&
+	grep "^signed-tag-msg" actual &&
+ 	grep "^# gpg: Signature made" actual &&
+ 	grep "^# gpg: Good signature from" actual
+ '
+@@ -135,6 +136,7 @@ test_expect_success GPG 'message for merging local tag signed by unknown key' '
+ 	git fetch . signed-good-tag &&
+ 	GNUPGHOME=. git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}signed-good-tag${apos}" actual &&
+	grep "^signed-tag-msg" actual &&
+ 	grep "^# gpg: Signature made" actual &&
+ 	grep -E "^# gpg: Can${apos}t check signature: (public key not found|No public key)" actual
+ '
+@@ -145,6 +147,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by good ssh key
+ 	git fetch . signed-good-ssh-tag &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}signed-good-ssh-tag${apos}" actual &&
+	grep "^signed-ssh-tag-msg" actual &&
+ 	grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
+ 	! grep "${GPGSSH_BAD_SIGNATURE}" actual
+ '
+@@ -155,6 +158,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by unknown ssh
+ 	git fetch . signed-untrusted-ssh-tag &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}signed-untrusted-ssh-tag${apos}" actual &&
+	grep "^signed-ssh-tag-msg-untrusted" actual &&
+ 	grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual &&
+ 	! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
+ 	grep "${GPGSSH_KEY_NOT_TRUSTED}" actual
+@@ -166,6 +170,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
+ 	git fetch . expired-signed &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}expired-signed${apos}" actual &&
+	grep "^expired-signed" actual &&
+ 	! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
+ '
+
+@@ -175,6 +180,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
+ 	git fetch . notyetvalid-signed &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}notyetvalid-signed${apos}" actual &&
+	grep "^notyetvalid-signed" actual &&
+ 	! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
+ '
+
+@@ -184,6 +190,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
+ 	git fetch . timeboxedvalid-signed &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}timeboxedvalid-signed${apos}" actual &&
+	grep "^timeboxedvalid-signed" actual &&
+ 	grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
+ 	! grep "${GPGSSH_BAD_SIGNATURE}" actual
+ '
+@@ -194,6 +201,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
+ 	git fetch . timeboxedinvalid-signed &&
+ 	git fmt-merge-msg <.git/FETCH_HEAD >actual &&
+ 	grep "^Merge tag ${apos}timeboxedinvalid-signed${apos}" actual &&
+	grep "^timeboxedinvalid-signed" actual &&
+ 	! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
+ '
+
+--
+2.34.1.455.gd6eb6fd089
+
--- a/git.skip-test-patterns
+++ b/git.skip-test-patterns
@ -4,7 +4,7 @@ GIT_SKIP_TESTS
 missing AUTOIDENT
 missing CASE_INSENSITIVE_FS
 missing DONTHAVEIT
-missing EXPENSIVE
+missing ([!]LONG_IS_64BIT,)?EXPENSIVE
 missing JGIT
 missing !?LAZY_(TRUE|FALSE)
 missing MINGW
--- a/git.spec
+++ b/git.spec
@ -76,11 +76,11 @@
 %endif

 # Define for release candidates
-#global rcrev   .rc0
+%global rcrev   .rc0

 Name:           git
-Version:        2.34.1
-Release:        1%{?rcrev}%{?dist}
+Version:        2.35.0
+Release:        0.0%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@ -119,6 +119,10 @@ Patch3:         0003-t-lib-gpg-kill-all-gpg-components-not-just-gpg-agent.patch
 Patch4:         0004-t4202-match-gpgsm-output-from-GnuPG-2.3.patch
 Patch5:         0005-gpg-interface-match-SIG_CREATED-if-it-s-the-first-li.patch

+# Fix tag message contents
+# https://lore.kernel.org/git/CAHk-=whXPxWL7z3GiPkaDt+yygrRmagrYUnib7Lx=Vvrqx2ufg@mail.gmail.com/
+Patch6:         https://lore.kernel.org/git/6e08b73d602853b3de71257117e85e32b96b5c19.1641849502.git.me@ttaylorr.com/raw#/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch
+
 %if %{with docs}
 # pod2man is needed to build Git.3pm
 BuildRequires:  %{_bindir}/pod2man
@ -218,7 +222,7 @@ BuildRequires:  jgit
 %endif
 # endif fedora (except i386 and s390x)
 BuildRequires:  mod_dav_svn
-BuildRequires:  openssh
+BuildRequires:  openssh-clients
 BuildRequires:  perl(App::Prove)
 BuildRequires:  perl(CGI)
 BuildRequires:  perl(CGI::Carp)
@ -1008,6 +1012,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Mon Jan 10 2022 Todd Zullinger <tmz@pobox.com> - 2.35.0-0.0.rc0
+- update to 2.35.0-rc0
+
 * Thu Nov 25 2021 Todd Zullinger <tmz@pobox.com> - 2.34.1-1
 - update to 2.34.1
 - fix gpgsm issues with gnupg-2.3
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.34.1.tar.xz) = a1a8e9e6f64b1da25508fbd2f783564dcdbe181fb5ff1ebab3bdac6db6094e18acc334479a1abf22ac17ce4f733cc3e10a664db9ab234cd523735a3f027b42db
-SHA512 (git-2.34.1.tar.sign) = a1111276e18da1a7b360e3ed3b8460034ea413b116482b0b66342f8873a9dd02a90f3f5bc7ad1e4b3c7f39ed55926a8155064b849e6e6bdf9478cb85b93f10b5
+SHA512 (git-2.35.0.rc0.tar.xz) = 9aa5d89d7981c73d32e9023dfc61a62e63688c3172cba4bee145b2ff4f5f7bc497435d1b4b535089c698893feabc6057a6522676e52bd3355327dfc0b6b8ba56
+SHA512 (git-2.35.0.rc0.tar.sign) = fe4e74de26c0268d36f4fecfa2a2e014e4025c16c931366d1f6f70417661aa250e4ccb8d583c1060559e554e0f5eb770901f246f729f9a55ecbd08c11c6f1119