From the upstream release announcement:
These releases fix a security flaw (CVE-2018-17456), which allowed an
attacker to execute arbitrary code by crafting a malicious .gitmodules
file in a project cloned with --recurse-submodules.
When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess. If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option. This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".
In addition to fixing the security issue for the user running "clone",
the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
be used to detect such malicious repository content when fetching or
accepting a push. See "transfer.fsckObjects" in git-config(1).
Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.
References:
https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/
The USE_LIBPCRE setting now defaults to pcre2; use it. It's still
valid to set USE_LIBPCRE2, but using the default should be cleaner in
the long-run.
The (long-unmaintained) emacs support has been dropped upstream in favor
of better alternatives. From the upstream commit¹:
The git-blame.el mode has been superseded by Emacs's own
vc-annotate (invoked by C-x v g). Users of the git.el mode are now
much better off using either Magit or the Git backend for Emacs's own
VC mode.
These modes were added over 10 years ago when Emacs's own Git support
was much less mature, and there weren't other mature modes in the wild
or shipped with Emacs itself.
These days these modes have few if any users, and users of git aren't
well served by us shipping these (some OS's install them alongside git
by default, which is confusing and leads users astray).
¹ 6d5ed4836d ("git{,-blame}.el: remove old bitrotting Emacs code", 2018-04-11)
https://git.kernel.org/pub/scm/git/git.git/commit/?id=6d5ed4836d
Fixes two security issues, described in the 2.13.7 release notes¹:
* Submodule "names" come from the untrusted .gitmodules file, but we
blindly append them to $GIT_DIR/modules to create our on-disk repo
paths. This means you can do bad things by putting "../" into the
name. We now enforce some rules for submodule names which will cause
Git to ignore these malicious names (CVE-2018-11235).
Credit for finding this vulnerability and the proof of concept from
which the test script was adapted goes to Etienne Stalmans.
* It was possible to trick the code that sanity-checks paths on NTFS
into reading random piece of memory (CVE-2018-11233).
¹ https://mirrors.edge.kernel.org/pub/software/scm/git/docs/RelNotes/2.13.7.txt
The perl install process was updated to remove the need for
ExtUtils::MakeMaker. The main change for us is setting perllibdir to
keep the files installed in %{perl_vendorlib}.
Manpages for non-public portions of the Git perl modules are no longer
built. Anyone who wishes to make use of these modules can read the
source files or use pod2man.
Set NO_PERL_CPAN_FALLBACKS to ensure we don't package the bundled
fallback modules.
Also drop now-unneeded commands to remove *.bs, .packlist, and
perllocal.pod files. The new install method does not produce these
artifacts.
This release fixes an issue which only affects users on case-insensitive
file systems and repositories which contain paths that differ only in
case. Such circumstances result in a segmentation fault in various git
commands.
From the release announcement¹
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.
Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.
¹ https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/
EL-5 has been EOL for several months now. We can drop all the
conditionals needed to build there, as well as some conditionals for
long-expired Fedora releases.
Without EL-5 we also no longer use the prebuilt documentation. Remove
these sources and simplify the gpg check for the remaining source.
