From the release notes for 2.30.7¹:
* CVE-2022-41903:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(,
%>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
* CVE-2022-23521:
gitattributes are a mechanism to allow defining attributes for
paths. These attributes can be defined by adding a `.gitattributes`
file to the repository, which contains a set of file patterns and
the attributes that should be set for paths matching this pattern.
When parsing gitattributes, multiple integer overflows can occur
when there is a huge number of path patterns, a huge number of
attributes for a single pattern, or when the declared attribute
names are huge.
These overflows can be triggered via a crafted `.gitattributes` file
that may be part of the commit history. Git silently splits lines
longer than 2KB when parsing gitattributes from a file, but not when
parsing them from the index. Consequentially, the failure mode
depends on whether the file exists in the working tree, the index or
both.
This integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution.
Credit for finding CVE-2022-41903 goes to Joern Schneeweisz of GitLab.
An initial fix was authored by Markus Vervier of X41 D-Sec. Credit for
finding CVE-2022-23521 goes to Markus Vervier and Eric Sesterhenn of X41
D-Sec. This work was sponsored by OSTIF.
The proposed fixes have been polished and extended to cover additional
findings by Patrick Steinhardt of GitLab, with help from others on the
Git security mailing list.
¹ https://github.com/git/git/raw/v2.39.1/Documentation/RelNotes/2.30.7.txt
Add mod_http2 BuildRequires for t5559-http-fetch-smart-http2; skip it on
EL7, which lacks it. Ignore the expected 'missing HTTP2' output from
t5551-http-fetch-smart. Use a strict pattern to avoid unintended
matches.
Sadly, we must also disable t5559 for now. It fails very often across
all architectures. The most common failure is "large fetch-pack
requests can be sent using chunked encoding" (t5559.30), but earlier
tests have also failed. Until these failures are understood and
resolved, the entire test is disabled globally. (It's also disabled for
EL-7, which is redundant now but won't be after we re-enable the test
globally in the near future.)
We can't simply skip the mod_http2 dependency here because we set
GIT_TEST_HTTPD=true. Per upstream 73c49a4474 (t: run t5551 tests with
both HTTP and HTTP/2, 2022-11-11):
If HTTP/2 isn't supported on a given platform, then t5559 should
bail during the webserver setup, and gracefully skip all tests
(unless GIT_TEST_HTTPD has been changed from "auto" to "yes", where
the point is to complain when webserver setup fails).
Also ignore the 'missing BUILTIN_TXT_$builtin' output which comes from
upstream a0c3244796 (doc SYNOPSIS & -h: use "-" to separate words in
labels, not "_", 2022-10-13). We may want to loosen this in the future,
but for now ignore it because it doesn't help us identify missing test
dependencies.
Release notes:
https://github.com/git/git/raw/v2.39.0-rc0/Documentation/RelNotes/2.39.0.txt
From the release notes for 2.30.6¹
* CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The
fix was authored by Taylor Blau, with help from Johannes Schindelin.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.
¹ https://github.com/git/git/raw/v2.38.1/Documentation/RelNotes/2.30.6.txt
Adjust number of t5541 "push 2000 tags over http" test, which we skip on
aarch64 and ppc64le arches. It was shifted from 36 to 37 by upstream
b0c4adcdd7 (remote-curl: send Accept-Language header to server,
2022-07-11).
Release notes:
https://github.com/git/git/raw/v2.38.0-rc0/Documentation/RelNotes/2.38.0.txt
From the release notes for 2.30.5¹:
This release contains minor fix-ups for the changes that went into
Git 2.30.3 and 2.30.4, addressing CVE-2022-29187.
* The safety check that verifies a safe ownership of the Git
worktree is now extended to also cover the ownership of the Git
directory (and the `.git` file, if there is any).
Carlo Marcelo Arenas Belón (1):
setup: tighten ownership checks post CVE-2022-24765
Additionally, from the release notes for 2.37.1²:
* Rewrite of "git add -i" in C that appeared in Git 2.25 didn't
correctly record a removed file to the index, which is an old
regression but has become widely known because the C version has
become the default in the latest release.
¹ https://github.com/git/git/raw/v2.37.1/Documentation/RelNotes/2.30.5.txt
² https://github.com/git/git/raw/v2.37.1/Documentation/RelNotes/2.37.1.txt
Regarding CVE-2022-24765, the release announcement says:
On multi-user machines, Git users might find themselves
unexpectedly in a Git worktree, e.g. when another user created a
repository in `C:\.git`, in a mounted network drive or in a
scratch space. Merely having a Git-aware prompt that runs `git
status` (or `git diff`) and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an
editor or IDE such as VS Code or Atom, will potentially run
commands defined by that other user.
The new `safe.directory` setting may be used in either the system or
global configuration to list directories which git should consider safe
even if they are owned by someone other than the current user.
Release notes:
https://github.com/git/git/raw/v2.36.0-rc2/Documentation/RelNotes/2.36.0.txt
The %_package_note_file definition added in 1dc07e7 (set path to linker
script in %_package_note_file, 2022-01-24) does not support release
candidates. Fix it.
Add 'fsmonitor--daemon is not supported on this platform' and 'missing
!REFFILES' to git.skip-test-patterns to match new test prerequisites
which are not relevant for our builds.
Adjust number of t5541 "push 2000 tags over http" test. It was shifted
from 35 to 36 by upstream c36c62859a (tests: use "test_hook" for misc
"mkdir -p" and "chmod" cases, 2022-03-17).
Replace `%__make test` with `%__make -C t all` to avoid re-compiling in
%check. This is an issue I have yet to fully diagnose. I suspect that
it is related to the nice work Ævar Arnfjörð Bjarmason has done upstream
to improve the efficiency and correctness of the build process. Work
around it for the moment.
Release notes:
https://github.com/git/git/raw/v2.36.0-rc0/Documentation/RelNotes/2.36.0.txt
Add openssh-clients BuildRequires, for ssh-add. Upstream 350a2518c8
(ssh signing: support non ssh-* keytypes, 2021-11-19), added `ssh-add`
as a requirement of t7528-signed-commit-ssh's "sign commits using
literal public keys with ssh-agent" test.
Replace the openssh BR added in e8896ce (update to 2.34.0, 2021-11-15)
with openssh-clients. The latter requires the former.
Apply Taylor Blau's patch to fix a use-after-free bug in fmt-merge-msg¹.
Add `missing !LONG_IS_64BIT,EXPENSIVE` to git.skip-test-patterns. It is
used in t1051-large-conversion after upstream 596b5e77c9 (clean/smudge:
allow clean filters to process extremely large files, 2021-11-02).
Release notes:
https://github.com/git/git/raw/v2.35.0-rc0/Documentation/RelNotes/2.35.0.txt
¹ https://lore.kernel.org/git/CAHk-=whXPxWL7z3GiPkaDt+yygrRmagrYUnib7Lx=Vvrqx2ufg@mail.gmail.com/
Release notes:
https://github.com/git/git/raw/v2.34.0/Documentation/RelNotes/2.34.0.txt
Add `BuildRequires: openssh` for the `ssh-keygen` command; it is needed
to test the newly-added ssh signing support¹. Refer to the `gpg.format`
and `gpg.ssh.*` variables in git-config(1) for details.
[Unfortunately, openssh-8.7 has a bug in the requisite `ssh-keygen -Y
find-principals` command, which will limit the usefulness of this
feature on Fedora 35/36 until openssh is either rebased to 8.8 or the
patch² is backported. The git testsuite has been taught to skip the
tests when this bug is present, in upstream ca7a5bf4bd (t/lib-gpg: avoid
broken versions of ssh-keygen, 2021-11-10), but that won't help users
who try out this new feature. Hopefully we can get openssh-8.7 in
Fedora 35 & 36 patched or updated before too long.]
We have `Requires: openssh-clients` in git-core already. The
openssh-clients package requires openssh so we don't _need_ to add an
install-time requirement to ensure the `ssh-keygen` command is
available.
Ignore RUNTIME_PREFIX and SYMLINKS_WINDOWS test prerequisites when
looking for missing test suite BuildRequires³.
The RUNTIME_PREFIX prerequisite was added in b7d11a0f5d (tests: exercise
the RUNTIME_PREFIX feature, 2021-07-24)⁴. It is used to build binaries
which can be easily relocated, which we don't need in our builds.
The SYMLINKS_WINDOWS prerequisite was added in 3e7d4888e5 (mingw: align
symlinks-related rmdir() behavior with Linux, 2021-08-02)⁵. It is, as
the name implies, Windows-specific.
¹ https://github.com/git/git/commit/b5726a5d9c (ssh signing: preliminary
refactoring and clean-up, 2021-09-10) and the commits which follow.
² https://github.com/openssh/openssh-portable/commit/ca0e455b93,
https://github.com/openssh/openssh-portable/commit/4afe431da9, and
https://www.mail-archive.com/source-changes@openbsd.org/msg127496.html
(plus the replies, which point out the typo in the first patch)
³ fa92661 (Add grep patterns for checking skipped tests, 2019-02-02)
⁴ https://github.com/git/git/commit/b7d11a0f5d
⁵ https://github.com/git/git/commit/3e7d4888e5
contrib/hooks/multimail is no longer distributed with git
The multimail hook was removed from the git contrib tree. From the
upstream commit f74d11471f (multimail: stop shipping a copy,
2021-06-10):
The multimail project is developed independently and has its own project
page. Traditionally, we shipped a copy in contrib/.
However, such a copy is prone to become stale, and users are much better
served to be directed to the actual project instead.
This release includes a fix for CVE-2021-21300¹ in addition to the other
changes along the path to the final 2.31.0 release.
Release notes:
https://github.com/git/git/raw/v2.31.0-rc2/Documentation/RelNotes/2.31.0.txt
¹ Per the 2.17.6 release notes on CVE-2021-21300:
On case-insensitive file systems with support for symbolic links, if
Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running remote
code during a clone.
The update to 2.29.1 is pointless on its own¹, but a subsequent commit
will add some additional post-release fixes for 2.29. Once we're
pushing an update, we might as well pick up the latest point release to
avoid anyone wondering why we've skipped an update.
Release notes:
https://github.com/git/git/raw/v2.29.1/Documentation/RelNotes/2.29.1.txt
¹ The only change in 2.29.1 is a Makefile fix for users of the
non-default SKIP_DASHED_BUILT_INS installation option.
