11 changed files with 827 additions and 1699 deletions
--- a/.git.metadata
+++ b/.git.metadata
@ -1,2 +1,2 @@
-ee5544e5682b2dd8bc7cfe0cf8952eb4f04a308f SOURCES/git-2.43.7.tar.sign
+8e9d69d70951427536e5a42ae0e2011750fa59e7 SOURCES/git-2.52.0.tar.sign
-4034a9389fe34767a272d7085e9e7d93fb5ff18f SOURCES/git-2.43.7.tar.xz
+c9bb56cadd9ec733c7dabfd867706e04ea942d9f SOURCES/git-2.52.0.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/git-2.43.7.tar.sign
+SOURCES/git-2.52.0.tar.sign
-SOURCES/git-2.43.7.tar.xz
+SOURCES/git-2.52.0.tar.xz
--- a/SOURCES/0001-Switch-git-instaweb-default-to-apache-2.26.2.patch
+++ b/SOURCES/0001-Switch-git-instaweb-default-to-apache-2.26.2.patch
@ -1,12 +0,0 @@
 diff -ur a/git-instaweb.sh b/git-instaweb.sh
 --- a/git-instaweb.sh	2020-04-20 17:52:30.000000000 +0200
 +++ b/git-instaweb.sh	2020-05-27 12:36:20.725300334 +0200
@@ -36,7 +36,7 @@
 # Defaults:
 # if installed, it doesn't need further configuration (module_path)
 -test -z "$httpd" && httpd='lighttpd -f'
 +test -z "$httpd" && httpd='httpd -f'
 # Default is @@GITWEBDIR@@
 test -z "$root" && root='@@GITWEBDIR@@'
--- a/SOURCES/git-2.43.0-core-crypto-hmac.patch
+++ b/SOURCES/git-2.43.0-core-crypto-hmac.patch
@ -1,70 +0,0 @@
 diff -ur b/builtin/receive-pack.c a/builtin/receive-pack.c
 --- b/builtin/receive-pack.c	2023-11-20 03:07:41.000000000 +0100
 +++ a/builtin/receive-pack.c	2023-12-06 15:34:28.294170714 +0100
@@ -40,6 +40,8 @@
 #include "worktree.h"
 #include "shallow.h"
 #include "parse-options.h"
 +#include <openssl/hmac.h>	
 +#include <openssl/evp.h>
 static const char * const receive_pack_usage[] = {
 	N_("git receive-pack <git-dir>"),
@@ -538,43 +540,11 @@
 	return 0;
 }
 -static void hmac_hash(unsigned char *out,
 +static inline void hmac_hash(unsigned char *out,
 		      const char *key_in, size_t key_len,
 		      const char *text, size_t text_len)
 {
 -	unsigned char key[GIT_MAX_BLKSZ];
 -	unsigned char k_ipad[GIT_MAX_BLKSZ];
 -	unsigned char k_opad[GIT_MAX_BLKSZ];
 -	int i;
 -	git_hash_ctx ctx;
 -
 -	/* RFC 2104 2. (1) */
 -	memset(key, '\0', GIT_MAX_BLKSZ);
 -	if (the_hash_algo->blksz < key_len) {
 -		the_hash_algo->init_fn(&ctx);
 -		the_hash_algo->update_fn(&ctx, key_in, key_len);
 -		the_hash_algo->final_fn(key, &ctx);
 -	} else {
 -		memcpy(key, key_in, key_len);
 -	}
 -
 -	/* RFC 2104 2. (2) & (5) */
 -	for (i = 0; i < sizeof(key); i++) {
 -		k_ipad[i] = key[i] ^ 0x36;
 -		k_opad[i] = key[i] ^ 0x5c;
 -	}
 -
 -	/* RFC 2104 2. (3) & (4) */
 -	the_hash_algo->init_fn(&ctx);
 -	the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
 -	the_hash_algo->update_fn(&ctx, text, text_len);
 -	the_hash_algo->final_fn(out, &ctx);
 -
 -	/* RFC 2104 2. (6) & (7) */
 -	the_hash_algo->init_fn(&ctx);
 -	the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
 -	the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
 -	the_hash_algo->final_fn(out, &ctx);
 +	HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL);
 }
 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 diff -ur b/Makefile a/Makefile
 --- b/Makefile	2023-11-20 03:07:41.000000000 +0100
 +++ a/Makefile	2023-12-06 15:35:08.506316431 +0100
@@ -2123,6 +2123,8 @@
 	EXTLIBS += -lcrypto -lssl
 endif
 +EXTLIBS += -lcrypto
 +
 ifneq ($(PROCFS_EXECUTABLE_PATH),)
 	procfs_executable_path_SQ = $(subst ','\'',$(PROCFS_EXECUTABLE_PATH))
 	BASIC_CFLAGS += '-DPROCFS_EXECUTABLE_PATH="$(procfs_executable_path_SQ)"'
--- a/SOURCES/git-2.43.0-slow-shallow-clones.patch
+++ b/SOURCES/git-2.43.0-slow-shallow-clones.patch
@ -1,115 +0,0 @@
 From 51441e6460b505c07b4a8a6deeaa7de4bf6e8e33 Mon Sep 17 00:00:00 2001
 From: Junio C Hamano <gitster@pobox.com>
 Date: Fri, 3 May 2024 08:34:27 -0700
 Subject: [PATCH] stop using HEAD for attributes in bare repository by default
 With 23865355 (attr: read attributes from HEAD when bare repo,
 2023-10-13), we started to use the HEAD tree as the default
 attribute source in a bare repository.  One argument for such a
 behaviour is that it would make things like "git archive" run in
 bare and non-bare repositories for the same commit consistent.
 This changes was merged to Git 2.43 but without an explicit mention
 in its release notes.
 It turns out that this change destroys performance of shallowly
 cloning from a bare repository.  As the "server" installations are
 expected to be mostly bare, and "git pack-objects", which is the
 core of driving the other side of "git clone" and "git fetch" wants
 to see if a path is set not to delta with blobs from other paths via
 the attribute system, the change forces the server side to traverse
 the tree of the HEAD commit needlessly to find if each and every
 paths the objects it sends out has the attribute that controls the
 deltification.  Given that (1) most projects do not configure such
 an attribute, and (2) it is dubious for the server side to honor
 such an end-user supplied attribute anyway, this was a poor choice
 of the default.
 To mitigate the current situation, let's revert the change that uses
 the tree of HEAD in a bare repository by default as the attribute
 source.  This will help most people who have been happy with the
 behaviour of Git 2.42 and before.
 Two things to note:
 * If you are stuck with versions of Git 2.43 or newer, that is
   older than the release this fix appears in, you can explicitly
   set the attr.tree configuration variable to point at an empty
   tree object, i.e.
 	$ git config attr.tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
 * If you like the behaviour we are reverting, you can explicitly
   set the attr.tree configuration variable to HEAD, i.e.
 	$ git config attr.tree HEAD
 The right fix for this is to optimize the code paths that allow
 accesses to attributes in tree objects, but that is a much more
 involved change and is left as a longer-term project, outside the
 scope of this "first step" fix.
 Signed-off-by: Junio C Hamano <gitster@pobox.com>
 ---
 attr.c                  |  7 -------
 t/t0003-attributes.sh   | 10 ++++++++--
 t/t5001-archive-attr.sh |  3 ++-
 3 files changed, 10 insertions(+), 10 deletions(-)
 diff --git a/attr.c b/attr.c
 index e62876dfd3e9be..02ab8436266289 100644
 --- a/attr.c
 +++ b/attr.c
@@ -1213,13 +1213,6 @@ static void compute_default_attr_source(struct object_id *attr_source)
 		ignore_bad_attr_tree = 1;
 	}
 -	if (!default_attr_source_tree_object_name &&
 -	    startup_info->have_repository &&
 -	    is_bare_repository()) {
 -		default_attr_source_tree_object_name = "HEAD";
 -		ignore_bad_attr_tree = 1;
 -	}
 -
 	if (!default_attr_source_tree_object_name || !is_null_oid(attr_source))
 		return;
 diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh
 index aee2298f01331a..5de46ddf67f7ff 100755
 --- a/t/t0003-attributes.sh
 +++ b/t/t0003-attributes.sh
@@ -384,13 +384,19 @@ test_expect_success 'bad attr source defaults to reading .gitattributes file' '
 	)
 '
 -test_expect_success 'bare repo defaults to reading .gitattributes from HEAD' '
 +test_expect_success 'bare repo no longer defaults to reading .gitattributes from HEAD' '
 	test_when_finished rm -rf test bare_with_gitattribute &&
 	git init test &&
 	test_commit -C test gitattributes .gitattributes "f/path test=val" &&
 	git clone --bare test bare_with_gitattribute &&
 -	echo "f/path: test: val" >expect &&
 +
 +	echo "f/path: test: unspecified" >expect &&
 	git -C bare_with_gitattribute check-attr test -- f/path >actual &&
 +	test_cmp expect actual &&
 +
 +	echo "f/path: test: val" >expect &&
 +	git -C bare_with_gitattribute -c attr.tree=HEAD \
 +		check-attr test -- f/path >actual &&
 	test_cmp expect actual
 '
 diff --git a/t/t5001-archive-attr.sh b/t/t5001-archive-attr.sh
 index eaf959d8f63f15..7310774af5efea 100755
 --- a/t/t5001-archive-attr.sh
 +++ b/t/t5001-archive-attr.sh
@@ -133,7 +133,8 @@ test_expect_success 'git archive vs. bare' '
 '
 test_expect_success 'git archive with worktree attributes, bare' '
 -	(cd bare && git archive --worktree-attributes HEAD) >bare-worktree.tar &&
 +	(cd bare &&
 +	git -c attr.tree=HEAD archive --worktree-attributes HEAD) >bare-worktree.tar &&
 	(mkdir bare-worktree && cd bare-worktree && "$TAR" xf -) <bare-worktree.tar
 '
--- a/SOURCES/git-2.43.5-sanitize-sideband-channel-messages.patch
+++ b/SOURCES/git-2.43.5-sanitize-sideband-channel-messages.patch
@ -1,219 +0,0 @@
 From 13bb730859857c97f298e9a8c7b68fe00074b3d0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
 Date: Thu, 3 Apr 2025 14:46:53 +0200
 Subject: [PATCH] Adds the option to sanitize sideband channel messages
 CVE-2024-52005 wasn't fixed by upstream. This patch adds the option
 to harden Git against it.
 The default behaviour of Git remains unchanged.
 Changes are taken from Git for Windows. The only differences are that
 by default we are allowing all control characters, the documentation
 reflects it and one of the tests has to be invoked with a config
 change: `sideband.allowControlCharacters=color`
 These commits can also be seen in this upstream PR:
 https://github.com/gitgitgadget/git/pull/1853
 ---
 Documentation/config.txt            |  2 +
 Documentation/config/sideband.txt   | 16 ++++++
 sideband.c                          | 78 ++++++++++++++++++++++++++++-
 t/t5409-colorize-remote-messages.sh | 30 +++++++++++
 4 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 Documentation/config/sideband.txt
 diff --git a/Documentation/config.txt b/Documentation/config.txt
 index e3a74dd1c1..5b8bbdee82 100644
 --- a/Documentation/config.txt
 +++ b/Documentation/config.txt
@@ -513,6 +513,8 @@ include::config/sequencer.txt[]
 include::config/showbranch.txt[]
 +include::config/sideband.txt[]
 +
 include::config/sparse.txt[]
 include::config/splitindex.txt[]
 diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt
 new file mode 100644
 index 0000000000..1adc831667
 --- /dev/null
 +++ b/Documentation/config/sideband.txt
@@ -0,0 +1,16 @@
 +sideband.allowControlCharacters::
 +	By default, control characters that are delivered via the sideband
 +	are NOT masked. Use this config setting to prevent potentially
 +	unwanted ANSI escape sequences from being sent to the terminal:
 ++
 +--
 +	color::
 +		Allow ANSI color sequences, line feeds and horizontal tabs,
 +		but mask all other control characters.
 +	false::
 +		Mask all control characters other than line feeds and
 +		horizontal tabs.
 +	true::
 +		Allow all control characters to be sent to the terminal.
 +        This is the default.
 +--
 \ No newline at end of file
 diff --git a/sideband.c b/sideband.c
 index 266a67342b..316a401a5d 100644
 --- a/sideband.c
 +++ b/sideband.c
@@ -23,6 +23,12 @@ static struct keyword_entry keywords[] = {
 	{ "error",	GIT_COLOR_BOLD_RED },
 };
 +static enum {
 +	ALLOW_NO_CONTROL_CHARACTERS = 0,
 +	ALLOW_ALL_CONTROL_CHARACTERS = 1,
 +	ALLOW_ANSI_COLOR_SEQUENCES = 2
 +} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
 +
 /* Returns a color setting (GIT_COLOR_NEVER, etc). */
 static int use_sideband_colors(void)
 {
@@ -36,6 +42,25 @@ static int use_sideband_colors(void)
 	if (use_sideband_colors_cached >= 0)
 		return use_sideband_colors_cached;
 +	switch (git_config_get_maybe_bool("sideband.allowcontrolcharacters", &i)) {
 +	case 0: /* Boolean value */
 +		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
 +			ALLOW_NO_CONTROL_CHARACTERS;
 +		break;
 +	case -1: /* non-Boolean value */
 +		if (git_config_get_string_tmp("sideband.allowcontrolcharacters",
 +							&value))
 +			; /* huh? `get_maybe_bool()` returned -1 */
 +		else if (!strcmp(value, "color"))
 +			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
 +		else
 +			warning(_("unrecognized value for `sideband."
 +					"allowControlCharacters`: '%s'"), value);
 +		break;
 +	default:
 +		break; /* not configured */
 +	}
 +
 	if (!git_config_get_string(key, &value)) {
 		use_sideband_colors_cached = git_config_colorbool(key, value);
 	} else if (!git_config_get_string("color.ui", &value)) {
@@ -64,6 +89,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
 		list_config_item(list, prefix, keywords[i].keyword);
 }
 +static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
 +{
 +	int i;
 +
 +	/*
 +	 * Valid ANSI color sequences are of the form
 +	 *
 +	 * ESC [ [<n> [; <n>]*] m
 +	 */
 +
 +	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
 +	    n < 3 || src[0] != '\x1b' || src[1] != '[')
 +		return 0;
 +
 +	for (i = 2; i < n; i++) {
 +		if (src[i] == 'm') {
 +			strbuf_add(dest, src, i + 1);
 +			return i;
 +		}
 +		if (!isdigit(src[i]) && src[i] != ';')
 +			break;
 +	}
 +
 +	return 0;
 +}
 +
 +static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
 +{
 +	int i;
 +
 +	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
 +			strbuf_add(dest, src, n);
 +			return;
 +		}
 +	
 +	strbuf_grow(dest, n);
 +	for (; n && *src; src++, n--) {
 +		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
 +			strbuf_addch(dest, *src);
 +		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
 +				src += i;
 +				n -= i;
 +		} else {
 +			strbuf_addch(dest, '^');
 +			strbuf_addch(dest, 0x40 + *src);
 +		}
 +	}
 +}
 +
 /*
  * Optionally highlight one keyword in remote output if it appears at the start
  * of the line. This should be called for a single line only, which is
@@ -79,7 +153,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
 	int i;
 	if (!want_color_stderr(use_sideband_colors())) {
 -		strbuf_add(dest, src, n);
 +		strbuf_add_sanitized(dest, src, n);
 		return;
 	}
@@ -112,7 +186,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
 		}
 	}
 -	strbuf_add(dest, src, n);
 +	strbuf_add_sanitized(dest, src, n);
 }
 diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
 index fa5de4500a..3b5ff00363 100755
 --- a/t/t5409-colorize-remote-messages.sh
 +++ b/t/t5409-colorize-remote-messages.sh
@@ -98,4 +98,34 @@ test_expect_success 'fallback to color.ui' '
 	grep "<BOLD;RED>error<RESET>: error" decoded
 '
 +test_expect_success 'disallow (color) control sequences in sideband' '
 +	write_script .git/color-me-surprised <<-\EOF &&
 +	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
 +	exec "$@"
 +	EOF
 +	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
 +	test_commit need-at-least-one-commit &&
 +	git -c sideband.allowControlCharacters=color \
 +		clone --no-local . throw-away 2>stderr &&
 +	test_decode_color <stderr >decoded &&
 +	test_grep RED decoded &&
 +	test_grep "\\^G" stderr &&
 +	tr -dc "\\007" <stderr >actual &&
 +	test_must_be_empty actual &&
 +
 +	rm -rf throw-away &&
 +	git -c sideband.allowControlCharacters=false \
 +		clone --no-local . throw-away 2>stderr &&
 +	test_decode_color <stderr >decoded &&
 +	test_grep ! RED decoded &&
 +	test_grep "\\^G" stderr &&
 +
 +	rm -rf throw-away &&
 +	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
 +	test_decode_color <stderr >decoded &&
 +	test_grep RED decoded &&
 +	tr -dc "\\007" <stderr >actual &&
 +	test_file_not_empty actual
 +'
 +
 test_done
 -- 
 2.49.0
--- a/SOURCES/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch
+++ b/SOURCES/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch
@ -1,59 +0,0 @@
 From 428c9241c6918f52ac22fb8e83ce7c736a2f5e00 Mon Sep 17 00:00:00 2001
 From: Todd Zullinger <tmz@pobox.com>
 Date: Tue, 8 Jul 2025 17:05:27 -0400
 Subject: [PATCH] t: avoid git config syntax from newer releases
 In a recent security release, 05e9cd64ee (config: quote values
 containing CR character, 2025-05-19) added calls to `git config get`,
 `git config set`, and `git config unset` which are not present on the
 maint-2.43 branch.
 These subcommands were added in the following commits, released in
 git-2.46.0:
  4e51389000 (builtin/config: introduce "get" subcommand, 2024-05-06),
  00bbdde141 (builtin/config: introduce "set" subcommand, 2024-05-06),
  95ea69c67b (builtin/config: introduce "unset" subcommand, 2024-05-06)
 Revert to the previous `git config` syntax for older maintenance
 branches.
 Signed-off-by: Todd Zullinger <tmz@pobox.com>
 Signed-off-by: Junio C Hamano <gitster@pobox.com>
 ---
 t/t1300-config.sh           | 4 ++--
 t/t7450-bad-git-dotfiles.sh | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/t/t1300-config.sh b/t/t1300-config.sh
 index 1010410b7e2926..baf9b4823111d5 100755
 --- a/t/t1300-config.sh
 +++ b/t/t1300-config.sh
@@ -2595,8 +2595,8 @@ test_expect_success 'writing value with trailing CR not stripped on read' '
 	printf "bar\r\n" >expect &&
 	git init cr-test &&
 -	git -C cr-test config set core.foo $(printf "bar\r") &&
 -	git -C cr-test config get core.foo >actual &&
 +	git -C cr-test config core.foo $(printf "bar\r") &&
 +	git -C cr-test config --get core.foo >actual &&
 	test_cmp expect actual
 '
 diff --git a/t/t7450-bad-git-dotfiles.sh b/t/t7450-bad-git-dotfiles.sh
 index 20262855664a97..d1546e3311b27f 100755
 --- a/t/t7450-bad-git-dotfiles.sh
 +++ b/t/t7450-bad-git-dotfiles.sh
@@ -362,10 +362,10 @@ test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into d
 	git -C repo mv sub $(printf "sub\r") &&
 	# Ensure config values containing CR are wrapped in quotes.
 -	git config unset -f repo/.gitmodules submodule.sub.path &&
 +	git config --unset -f repo/.gitmodules submodule.sub.path &&
 	printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules &&
 -	git config unset -f repo/.git/modules/sub/config core.worktree &&
 +	git config --unset -f repo/.git/modules/sub/config core.worktree &&
 	{
 		printf "[core]\n" &&
 		printf "\tworktree = \"../../../sub\r\"\n"
--- a/SOURCES/git-2.52-core-crypto-hmac.patch
+++ b/SOURCES/git-2.52-core-crypto-hmac.patch
@ -0,0 +1,85 @@
 From 17acaf144b882d7312b147ac4a1d39158a82534d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
 Date: Fri, 9 Jan 2026 14:49:51 +0100
 Subject: [PATCH] git-2.52.0-core-crypto-hmac.patch
 ---
 Makefile               |  2 ++
 builtin/receive-pack.c | 38 ++++----------------------------------
 2 files changed, 6 insertions(+), 34 deletions(-)
 diff --git a/Makefile b/Makefile
 index 7e0f77e298..a106eaa79d 100644
 --- a/Makefile
 +++ b/Makefile
@@ -2278,6 +2278,8 @@ ifneq ($(findstring openssl,$(CSPRNG_METHOD)),)
 	EXTLIBS += -lcrypto -lssl
 endif
 +EXTLIBS += -lcrypto
 +
 ifndef HAVE_PLATFORM_PROCINFO
 	COMPAT_OBJS += compat/stub/procinfo.o
 endif
 diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
 index c9288a9c7e..48ad30fb0a 100644
 --- a/builtin/receive-pack.c
 +++ b/builtin/receive-pack.c
@@ -43,6 +43,8 @@
 #include "worktree.h"
 #include "shallow.h"
 #include "parse-options.h"
 +#include <openssl/hmac.h>	
 +#include <openssl/evp.h>
 static const char * const receive_pack_usage[] = {
 	N_("git receive-pack <git-dir>"),
@@ -561,43 +563,11 @@ static int copy_to_sideband(int in, int out UNUSED, void *arg UNUSED)
 	return 0;
 }
 -static void hmac_hash(unsigned char *out,
 +static inline void hmac_hash(unsigned char *out,
 		      const char *key_in, size_t key_len,
 		      const char *text, size_t text_len)
 {
 -	unsigned char key[GIT_MAX_BLKSZ];
 -	unsigned char k_ipad[GIT_MAX_BLKSZ];
 -	unsigned char k_opad[GIT_MAX_BLKSZ];
 -	int i;
 -	struct git_hash_ctx ctx;
 -
 -	/* RFC 2104 2. (1) */
 -	memset(key, '\0', GIT_MAX_BLKSZ);
 -	if (the_hash_algo->blksz < key_len) {
 -		the_hash_algo->init_fn(&ctx);
 -		git_hash_update(&ctx, key_in, key_len);
 -		git_hash_final(key, &ctx);
 -	} else {
 -		memcpy(key, key_in, key_len);
 -	}
 -
 -	/* RFC 2104 2. (2) & (5) */
 -	for (i = 0; i < sizeof(key); i++) {
 -		k_ipad[i] = key[i] ^ 0x36;
 -		k_opad[i] = key[i] ^ 0x5c;
 -	}
 -
 -	/* RFC 2104 2. (3) & (4) */
 -	the_hash_algo->init_fn(&ctx);
 -	git_hash_update(&ctx, k_ipad, sizeof(k_ipad));
 -	git_hash_update(&ctx, text, text_len);
 -	git_hash_final(out, &ctx);
 -
 -	/* RFC 2104 2. (6) & (7) */
 -	the_hash_algo->init_fn(&ctx);
 -	git_hash_update(&ctx, k_opad, sizeof(k_opad));
 -	git_hash_update(&ctx, out, the_hash_algo->rawsz);
 -	git_hash_final(out, &ctx);
 +	HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL);
 }
 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 -- 
 2.52.0
--- a/SOURCES/git-2.52-sanitize-sideband-channel-messages.patch
+++ b/SOURCES/git-2.52-sanitize-sideband-channel-messages.patch
@ -0,0 +1,275 @@
 From 65e88e659008e2cbf79cf44975406ff0d569a3a9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
 Date: Thu, 20 Nov 2025 12:24:59 +0100
 Subject: [PATCH] sideband: mask control characters
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The output of `git clone` is a vital component for understanding what
 has happened when things go wrong. However, these logs are partially
 under the control of the remote server (via the "sideband", which
 typically contains what the remote `git pack-objects` process sends to
 `stderr`), and is currently not sanitized by Git.
 This makes Git susceptible to ANSI escape sequence injection (see
 CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
 attackers to corrupt terminal state, to hide information, and even to
 insert characters into the input buffer (i.e. as if the user had typed
 those characters).
 To plug this vulnerability, disallow any control character in the
 sideband, replacing them instead with the common `^<letter/symbol>`
 (e.g. `^[` for `\x1b`, `^A` for `\x01`).
 There is likely a need for more fine-grained controls instead of using a
 "heavy hammer" like this, which will be introduced subsequently.
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 sideband: introduce an "escape hatch" to allow control characters
 The preceding commit fixed the vulnerability whereas sideband messages
 (that are under the control of the remote server) could contain ANSI
 escape sequences that would be sent to the terminal verbatim.
 However, this fix may not be desirable under all circumstances, e.g.
 when remote servers deliberately add coloring to their messages to
 increase their urgency.
 To help with those use cases, give users a way to opt-out of the
 protections: `sideband.allowControlCharacters`.
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 sideband: do allow ANSI color sequences by default
 The preceding two commits introduced special handling of the sideband
 channel to neutralize ANSI escape sequences before sending the payload
 to the terminal, and `sideband.allowControlCharacters` to override that
 behavior.
 However, some `pre-receive` hooks that are actively used in practice
 want to color their messages and therefore rely on the fact that Git
 passes them through to the terminal.
 In contrast to other ANSI escape sequences, it is highly unlikely that
 coloring sequences can be essential tools in attack vectors that mislead
 Git users e.g. by hiding crucial information.
 Therefore we can have both: Continue to allow ANSI coloring sequences to
 be passed to the terminal, and neutralize all other ANSI escape
 sequences.
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 sideband: default to allowControlCharacters=true
 We don't want to change the default Git behaviour, just add the option
 to filter control characters.
 Signed-off-by: Ondřej Pohořelský <opohorel@redhat.com>
 ---
 Documentation/config.adoc           |  2 +
 Documentation/config/sideband.adoc  | 16 ++++++
 sideband.c                          | 78 ++++++++++++++++++++++++++++-
 t/t5409-colorize-remote-messages.sh | 31 ++++++++++++
 4 files changed, 125 insertions(+), 2 deletions(-)
 create mode 100644 Documentation/config/sideband.adoc
 diff --git a/Documentation/config.adoc b/Documentation/config.adoc
 index 62eebe7c54..dcea3c0c15 100644
 --- a/Documentation/config.adoc
 +++ b/Documentation/config.adoc
@@ -523,6 +523,8 @@ include::config/sequencer.adoc[]
 include::config/showbranch.adoc[]
 +include::config/sideband.adoc[]
 +
 include::config/sparse.adoc[]
 include::config/splitindex.adoc[]
 diff --git a/Documentation/config/sideband.adoc b/Documentation/config/sideband.adoc
 new file mode 100644
 index 0000000000..c9ba24a02c
 --- /dev/null
 +++ b/Documentation/config/sideband.adoc
@@ -0,0 +1,16 @@
 +sideband.allowControlCharacters::
 +	By default, control characters that are delivered via the sideband
 +	are NOT masked. Use this config setting to prevent potentially
 +	unwanted ANSI escape sequences from being sent to the terminal:
 ++
 +--
 +	color::
 +		Allow ANSI color sequences, line feeds and horizontal tabs,
 +		but mask all other control characters.
 +	false::
 +		Mask all control characters other than line feeds and
 +		horizontal tabs.
 +	true::
 +		Allow all control characters to be sent to the terminal.
 +		This is the default.
 +--
 \ No newline at end of file
 diff --git a/sideband.c b/sideband.c
 index ea7c25211e..88d1b44a7a 100644
 --- a/sideband.c
 +++ b/sideband.c
@@ -26,6 +26,12 @@ static struct keyword_entry keywords[] = {
 	{ "error",	GIT_COLOR_BOLD_RED },
 };
 +static enum {
 +	ALLOW_NO_CONTROL_CHARACTERS = 0,
 +	ALLOW_ALL_CONTROL_CHARACTERS = 1,
 +	ALLOW_ANSI_COLOR_SEQUENCES = 2
 +} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
 +
 /* Returns a color setting (GIT_COLOR_NEVER, etc). */
 static enum git_colorbool use_sideband_colors(void)
 {
@@ -39,6 +45,25 @@ static enum git_colorbool use_sideband_colors(void)
 	if (use_sideband_colors_cached != GIT_COLOR_UNKNOWN)
 		return use_sideband_colors_cached;
 +	switch (repo_config_get_maybe_bool(the_repository, "sideband.allowcontrolcharacters", &i)) {
 +	case 0: /* Boolean value */
 +		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
 +			ALLOW_NO_CONTROL_CHARACTERS;
 +		break;
 +	case -1: /* non-Boolean value */
 +		if (repo_config_get_string_tmp(the_repository, "sideband.allowcontrolcharacters",
 +					      &value))
 +			; /* huh? `get_maybe_bool()` returned -1 */
 +		else if (!strcmp(value, "color"))
 +			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
 +		else
 +			warning(_("unrecognized value for `sideband."
 +				  "allowControlCharacters`: '%s'"), value);
 +		break;
 +	default:
 +		break; /* not configured */
 +	}
 +
 	if (!repo_config_get_string_tmp(the_repository, key, &value))
 		use_sideband_colors_cached = git_config_colorbool(key, value);
 	else if (!repo_config_get_string_tmp(the_repository, "color.ui", &value))
@@ -66,6 +91,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
 		list_config_item(list, prefix, keywords[i].keyword);
 }
 +static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
 +{
 +	int i;
 +
 +	/*
 +	 * Valid ANSI color sequences are of the form
 +	 *
 +	 * ESC [ [<n> [; <n>]*] m
 +	 */
 +
 +	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
 +	    n < 3 || src[0] != '\x1b' || src[1] != '[')
 +		return 0;
 +
 +	for (i = 2; i < n; i++) {
 +		if (src[i] == 'm') {
 +			strbuf_add(dest, src, i + 1);
 +			return i;
 +		}
 +		if (!isdigit(src[i]) && src[i] != ';')
 +			break;
 +	}
 +
 +	return 0;
 +}
 +
 +static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
 +{
 +	int i;
 +
 +	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
 +		strbuf_add(dest, src, n);
 +		return;
 +	}
 +
 +	strbuf_grow(dest, n);
 +	for (; n && *src; src++, n--) {
 +		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
 +			strbuf_addch(dest, *src);
 +		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
 +			src += i;
 +			n -= i;
 +		} else {
 +			strbuf_addch(dest, '^');
 +			strbuf_addch(dest, 0x40 + *src);
 +		}
 +	}
 +}
 +
 /*
  * Optionally highlight one keyword in remote output if it appears at the start
  * of the line. This should be called for a single line only, which is
@@ -81,7 +155,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
 	int i;
 	if (!want_color_stderr(use_sideband_colors())) {
 -		strbuf_add(dest, src, n);
 +		strbuf_add_sanitized(dest, src, n);
 		return;
 	}
@@ -114,7 +188,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
 		}
 	}
 -	strbuf_add(dest, src, n);
 +	strbuf_add_sanitized(dest, src, n);
 }
 diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
 index fa5de4500a..2d40d8c640 100755
 --- a/t/t5409-colorize-remote-messages.sh
 +++ b/t/t5409-colorize-remote-messages.sh
@@ -98,4 +98,35 @@ test_expect_success 'fallback to color.ui' '
 	grep "<BOLD;RED>error<RESET>: error" decoded
 '
 +test_expect_success 'disallow (color) control sequences in sideband' '
 +	write_script .git/color-me-surprised <<-\EOF &&
 +	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
 +	exec "$@"
 +	EOF
 +	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
 +	test_commit need-at-least-one-commit &&
 +
 +	git -c sideband.allowControlCharacters=color \
 +		clone --no-local . throw-away 2>stderr &&
 +	test_decode_color <stderr >decoded &&
 +	test_grep RED decoded &&
 +	test_grep "\\^G" stderr &&
 +	tr -dc "\\007" <stderr >actual &&
 +	test_must_be_empty actual &&
 +
 +	rm -rf throw-away &&
 +	git -c sideband.allowControlCharacters=false \
 +		clone --no-local . throw-away 2>stderr &&
 +	test_decode_color <stderr >decoded &&
 +	test_grep ! RED decoded &&
 +	test_grep "\\^G" stderr &&
 +
 +	rm -rf throw-away &&
 +	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
 +	test_decode_color <stderr >decoded &&
 +	test_grep RED decoded &&
 +	tr -dc "\\007" <stderr >actual &&
 +	test_file_not_empty actual
 +'
 +
 test_done
 -- 
 2.51.1
--- a/SOURCES/print-failed-test-output
+++ b/SOURCES/print-failed-test-output
@ -3,11 +3,11 @@
 shopt -s failglob
 # Print output from failing tests
-dashes=$(printf "%80s" '' | tr ' ' '-')
+printf -v sep "%0.s-" {1..80}
 for exit_file in t/test-results/*.exit; do
-    [ "$(cat "$exit_file")" -eq 0 ] && continue
+    [ "$(< "$exit_file")" -eq 0 ] && continue
    out_file="${exit_file%exit}out"
-    printf '\n%s\n%s\n%s\n' "$dashes" "$out_file" "$dashes"
+    printf '\n%s\n%s\n%s\n' "$sep" "$out_file" "$sep"
    cat "$out_file"
 done
 exit 1
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
`@ -1,2 +1,2 @@`
	`ee5544e5682b2dd8bc7cfe0cf8952eb4f04a308f SOURCES/git-2.43.7.tar.sign`	`8e9d69d70951427536e5a42ae0e2011750fa59e7 SOURCES/git-2.52.0.tar.sign`
	`4034a9389fe34767a272d7085e9e7d93fb5ff18f SOURCES/git-2.43.7.tar.xz`	`c9bb56cadd9ec733c7dabfd867706e04ea942d9f SOURCES/git-2.52.0.tar.xz`
`@ -1,2 +1,2 @@`
	`SOURCES/git-2.43.7.tar.sign`	`SOURCES/git-2.52.0.tar.sign`
	`SOURCES/git-2.43.7.tar.xz`	`SOURCES/git-2.52.0.tar.xz`