From the upstream release announcement:
These releases fix a security flaw (CVE-2018-17456), which allowed an
attacker to execute arbitrary code by crafting a malicious .gitmodules
file in a project cloned with --recurse-submodules.
When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess. If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option. This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".
In addition to fixing the security issue for the user running "clone",
the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
be used to detect such malicious repository content when fetching or
accepting a push. See "transfer.fsckObjects" in git-config(1).
Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.
References:
https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/
Fixes two security issues, described in the 2.13.7 release notes¹:
* Submodule "names" come from the untrusted .gitmodules file, but we
blindly append them to $GIT_DIR/modules to create our on-disk repo
paths. This means you can do bad things by putting "../" into the
name. We now enforce some rules for submodule names which will cause
Git to ignore these malicious names (CVE-2018-11235).
Credit for finding this vulnerability and the proof of concept from
which the test script was adapted goes to Etienne Stalmans.
* It was possible to trick the code that sanity-checks paths on NTFS
into reading random piece of memory (CVE-2018-11233).
¹ https://mirrors.edge.kernel.org/pub/software/scm/git/docs/RelNotes/2.13.7.txt
The script is installed at /usr/share/git-core/contrib/diff-highlight.
Documentation is in /usr/share/doc/git/contrib/diff-highlight/README.
(cherry picked from commit 440594446e)
From the release announcement¹
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.
Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.
¹ https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/
Setting 'PYTHON_PATH = %{__python2}' in config.mak should work, but
doing so causes the remote svn tests in t9020 (which use a python script
to similate svnrdump) to fail. Just fix the git-p4 shebang until the
svn test failures can be resolved.
The pcre1 library is only maintained for serious bugs and
vulnerabilities at this point. Further improvements are happening in
pcre2. In a future release git will make this the default library for
pcre support.
EL-5 has been EOL for several months now. We can drop all the
conditionals needed to build there, as well as some conditionals for
long-expired Fedora releases.
Without EL-5 we also no longer use the prebuilt documentation. Remove
these sources and simplify the gpg check for the remaining source.
Links in docfiles are now automatically checked for correct paths
by linkchecker. The test is available only for Fedora 25+ system,
because the utility is not available for RHEL.
We have not supported git-archimport in many years and have removed the
files from the documentation. Removing it from the command list ensures
that git will not generate a link to the command in the documentation.
This avoids leaving a broken link in the html docs.
Move documentation files from all subpackages into the %{_pkgdocdir}
directory, so links inside doc and man files are correct
Resolves: #1357438
- excluded *py[co] files from doc/* subdirectories, as these files
are not expected to be executed (thanks tmz)
The grep tests succeed and fail intermittently on s390x. Until that
arch is more established and works (or fails) consistently, skip these
tests rather than let s390x hold back ever other arch.
Upstream changed the default SHA1 implementation in 2.13.0 to one which
detects collisions¹. It may be slightly slower than BLK_SHA1 in some
cases, but the added safety it provides in the face of the SHAttered²
attack should be worth the cost.
We overrode the default SHA1 implementation in b796934 (Update to
git-1.6.5.rc2 - Enable Linus' block-sha1 implementation.) The main
reason was to avoid linking against openssl's libcrypto for most
binaries, which saved a measurable amount of space. Using the new
DC_SHA1 default provides the same benefit.
¹ e6b07da278
² https://shattered.io/
Since the libsecret replaces the libgnome-keyring,
the libgnome-keyring is not necessary to keep it in the git package.
In addition, gnome-keyring is deprecated and according to people
from GNOME, they do not expect that anyone would want to use the old
library when libsecret is installed. So drop credentials for
libgnome-keyring.
However, I keep that credential in spec for older systems where it
has been originally, but it is split into the separate rpm, so at
least it will not be required by the git package. It can be removed
later.
Usually in Fedora this change will not change paths in current
packages, because both macros has same value now (/var). However,
the first one is "more recommended", because some build environments
redefine path in this macro for own purposes, in contrast with
%{_var} which is usually kept as it is.
- missing libcurl requirement for git-core
- git-email & git-cvs should require 'perl(Git)' according
to guidelines
- perl-generators are required during build only for Fedora 21+
