Move %rcpath definition added d050347 (use tilde versioning for release
candidates, 2023-05-12) after %real_version. Otherwise, it is not
parsed correctly.
(I'm pretty sure it worked in the past, but it certainly doesn't now.)
From the release notes for 2.30.8¹:
* CVE-2023-22490:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
* CVE-2023-23946:
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
* A mismatched type in `attr.c::read_attr_from_index()` which could
cause Git to errantly reject attributes on Windows and 32-bit Linux
has been corrected.
Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
developed by Taylor Blau, with additional help from others on the
Git security mailing list.
Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
fix was developed by Patrick Steinhardt.
¹ https://github.com/git/git/raw/v2.39.2/Documentation/RelNotes/2.30.8.txt
The git send-email command uses Email::Valid to check addresses. If
Email::Valid is not present, it falls back to a more basic regex match
(which is not nearly as thorough as the checks Email::Valid performs).
While Fedora (and EPEL 7/8 provide perl-Email-Valid, RHEL does not and
does not wish to add the dependency. Make it easier for RHEL to fork &
sync from us by making the dependency conditional.
References:
https://bugzilla.redhat.com/2020487https://bugzilla.redhat.com/2046203http://public-inbox.org/git/20220620004427.3586240-1-trawets@amazon.com/T/#u4414f61 (add more git-email perl dependencies, 2021-11-13)
From the release notes for 2.30.7¹:
* CVE-2022-41903:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(,
%>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
* CVE-2022-23521:
gitattributes are a mechanism to allow defining attributes for
paths. These attributes can be defined by adding a `.gitattributes`
file to the repository, which contains a set of file patterns and
the attributes that should be set for paths matching this pattern.
When parsing gitattributes, multiple integer overflows can occur
when there is a huge number of path patterns, a huge number of
attributes for a single pattern, or when the declared attribute
names are huge.
These overflows can be triggered via a crafted `.gitattributes` file
that may be part of the commit history. Git silently splits lines
longer than 2KB when parsing gitattributes from a file, but not when
parsing them from the index. Consequentially, the failure mode
depends on whether the file exists in the working tree, the index or
both.
This integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution.
Credit for finding CVE-2022-41903 goes to Joern Schneeweisz of GitLab.
An initial fix was authored by Markus Vervier of X41 D-Sec. Credit for
finding CVE-2022-23521 goes to Markus Vervier and Eric Sesterhenn of X41
D-Sec. This work was sponsored by OSTIF.
The proposed fixes have been polished and extended to cover additional
findings by Patrick Steinhardt of GitLab, with help from others on the
Git security mailing list.
¹ https://github.com/git/git/raw/v2.39.1/Documentation/RelNotes/2.30.7.txt
ce294ea (Remove perl(MODULE_COMPAT), it will be replaced by generators,
2023-01-13) removed the `Requires: perl(:MODULE_COMPAT_*)` entirely.
This is not suitable for merging to older Fedora or RHEL releases. Make
the requirement conditional.
When a build fails, the contents of t/test-results and the trash
directories can be quite useful for debugging. This is particularly
true when the failures occur only in Koji, where we can't get a shell
and poke around.
Create a compressed tarball and encode it with base64 to allow it to be
output along with the normal build output. Include instruction on how
to extract the base64-encoded content from the build log inline.
The tar archive is compressed with zstd which provides a good balance of
speed and size. The compression level of 17 was chosen after a number
of tests against real test failures, as opposed to entirely random
selection. ;)
Add mod_http2 BuildRequires for t5559-http-fetch-smart-http2; skip it on
EL7, which lacks it. Ignore the expected 'missing HTTP2' output from
t5551-http-fetch-smart. Use a strict pattern to avoid unintended
matches.
Sadly, we must also disable t5559 for now. It fails very often across
all architectures. The most common failure is "large fetch-pack
requests can be sent using chunked encoding" (t5559.30), but earlier
tests have also failed. Until these failures are understood and
resolved, the entire test is disabled globally. (It's also disabled for
EL-7, which is redundant now but won't be after we re-enable the test
globally in the near future.)
We can't simply skip the mod_http2 dependency here because we set
GIT_TEST_HTTPD=true. Per upstream 73c49a4474 (t: run t5551 tests with
both HTTP and HTTP/2, 2022-11-11):
If HTTP/2 isn't supported on a given platform, then t5559 should
bail during the webserver setup, and gracefully skip all tests
(unless GIT_TEST_HTTPD has been changed from "auto" to "yes", where
the point is to complain when webserver setup fails).
Also ignore the 'missing BUILTIN_TXT_$builtin' output which comes from
upstream a0c3244796 (doc SYNOPSIS & -h: use "-" to separate words in
labels, not "_", 2022-10-13). We may want to loosen this in the future,
but for now ignore it because it doesn't help us identify missing test
dependencies.
Release notes:
https://github.com/git/git/raw/v2.39.0-rc0/Documentation/RelNotes/2.39.0.txt
The license data was gathered from the 2.38.1 tarball. The licensecheck
tool was run:
find -type f -regextype egrep ! -regex '^(Documentation/.*\.txt$|(t/(chainlint|perf/p[0-9]{4}|t[0-9]{4}).*))' \
-exec licensecheck --shortname-scheme spdx {} + | LANG=C sort >licensecheck
The contents were reviewed, removing files which are not shipped or were
UNKNOWN to licensecheck. Of the UNKNOWN files, most lacked a specific
license header and are thus treated as GPL-2.0-only. The code in
reftable/ is licensed as BSD 3-Clause per reftable/LICENSE.
This is Go source code which requires compilation to be used. It is
licensed differently than git; shipping it changes the License tag.
Let's avoid it for now. If it turns out to be widely used, we can
restore it later (and ship it in binary form).
From the release notes for 2.30.6¹
* CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The
fix was authored by Taylor Blau, with help from Johannes Schindelin.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.
¹ https://github.com/git/git/raw/v2.38.1/Documentation/RelNotes/2.30.6.txt
In 986b772 (Split 'git subtree' into a separate package, 2018-02-07), I
mistakenly created the package as arch-specific. It should have been
noarch; it is merely a shell script.
Adjust number of t5541 "push 2000 tags over http" test, which we skip on
aarch64 and ppc64le arches. It was shifted from 36 to 37 by upstream
b0c4adcdd7 (remote-curl: send Accept-Language header to server,
2022-07-11).
Release notes:
https://github.com/git/git/raw/v2.38.0-rc0/Documentation/RelNotes/2.38.0.txt
When running multiple builds, we frequently see failures due to port
conflicts, particularly with httpd tests. Retry with a different port
when the test function start_httpd() fails to reduce these spurious
failures.
We should not need to skip t9115-git-svn-dcommit-funky-renames as a
result. Remove it from GIT_SKIP_TESTS.
Similarly, adjust the git-daemon and svnserve start functions.
We have not shipped git-archimport since 3f0dc97 (Drop git-arch on
fedora >= 16, 2011-07-26). Replace the scattered references to it in
the spec file with a small group of commands in %prep to remove it
entirely.
The `BuildRequires: systemd` was added in d7389e7 (use systemd instead
of xinetd (bz 737183), 2013-04-30). Since then, the systemd macros have
been split into a subpackage¹. Adjust our BuildRequires (with an
exception for EL-7).
Replace `Requires*: systemd` in git-daemon with %{?systemd_requires}.
¹ https://src.fedoraproject.org/rpms/systemd/c/c9030f0 (Split out the
rpm macros into systemd-rpm-macros subpackage, 2018-11-02),
From the release notes for 2.30.5¹:
This release contains minor fix-ups for the changes that went into
Git 2.30.3 and 2.30.4, addressing CVE-2022-29187.
* The safety check that verifies a safe ownership of the Git
worktree is now extended to also cover the ownership of the Git
directory (and the `.git` file, if there is any).
Carlo Marcelo Arenas Belón (1):
setup: tighten ownership checks post CVE-2022-24765
Additionally, from the release notes for 2.37.1²:
* Rewrite of "git add -i" in C that appeared in Git 2.25 didn't
correctly record a removed file to the index, which is an old
regression but has become widely known because the C version has
become the default in the latest release.
¹ https://github.com/git/git/raw/v2.37.1/Documentation/RelNotes/2.30.5.txt
² https://github.com/git/git/raw/v2.37.1/Documentation/RelNotes/2.37.1.txt
The emacs bcond support was added cdea01a (drop emacs-git stub for
fedora >= 34 (#1882360), 2020-10-10). Now that Fedora 34 is EOL, we no
longer need the conditional.
The GIT_SKIP_TESTS variable does not support brace expansion. It was my
mistake thinking that it did. List the tests to skip properly.
If we had a longer list and *really* wanted to use brace expansion, we
could do something like this:
GIT_SKIP_TESTS="$GIT_SKIP_TESTS $(echo t5300.{10,12,14} t5303.{5,7,11} t6300.{35,91,92})"
In this case, that's more characters _and_ more complexity, so it makes
no sense to use it. (Even if it were shorter, it doesn't necessarily
justify the extra complexity.)
Expand the list of tests to skip to cover those which fail due to the
earlier skipped tests.
Additionally, GIT_SKIP_TESTS is (unintentionally) set on systems other
than EL8. Fix the conditional to only skip these tests on s390x on EL8.
