From acb4b582c7f27ff8bb61430c28b2a97c4fd65381 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 30 May 2018 14:22:59 -0400 Subject: [PATCH 1/6] Disable jgit tests on s390x, they're unreliable Specifically, t5512-ls-remote.sh has a test which starts a jgit daemon. This has failed to exit on a number of occasions, only on s390x. We could disable just that test with "GIT_SKIP_TESTS=t5512.28", but the test number can and does change as more ls-remote tests are added. Dropping the jgit BuildRequires is cleaner and only causes 3 tests to be skipped, the offending t5512 test and two others in t5310-pack-bitmaps. Access to s390x might help better debug this, but it does not occur consistently and may be limited to koji. The issue could be a problem in jgit as well. While looking at a hung build, Kevin Fenzi found a few errors in t5512-ls-remote.out: /usr/bin/build-classpath: Could not find xz-java Java extension for this JVM /usr/bin/build-classpath: error: Some specified jars were not found --- git.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/git.spec b/git.spec index 15d2b14..0370ad6 100644 --- a/git.spec +++ b/git.spec @@ -187,7 +187,7 @@ BuildRequires: gnupg BuildRequires: highlight %endif BuildRequires: httpd -%if 0%{?fedora} +%if 0%{?fedora} && %{_arch} != s390x BuildRequires: jgit %endif BuildRequires: mod_dav_svn @@ -902,6 +902,9 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Wed May 30 2018 Todd Zullinger +- Disable jgit tests on s390x, they're unreliable + * Tue May 29 2018 Todd Zullinger - 2.17.1-2 - packfile: Correct zlib buffer handling (#1582555) From 9026f93dc83071071b6f4e6c6f6fcb0d9ac77fe7 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 30 May 2018 14:42:00 -0400 Subject: [PATCH 2/6] Use %make_build and %make_install Also drop DESTDIR and INSTALL from config.mak; they are both handled via %make_install. Remove the rpmlint filter for %buildroot usage which was only needed due to DESTDIR's use in config.mak. --- git.rpmlintrc | 3 --- git.spec | 15 +++++++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/git.rpmlintrc b/git.rpmlintrc index caf2fb7..9a57745 100644 --- a/git.rpmlintrc +++ b/git.rpmlintrc @@ -4,9 +4,6 @@ from Config import * addFilter("git.* spelling-error %description .* subpackages") addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject|subtree)") -# We're not misusing %{buildroot} here -addFilter("git\.(spec|src):.* rpm-buildroot-usage %prep DESTDIR = %{buildroot}") - # git-core-doc requires git-core, which provides the symlink target addFilter("git(-core-doc)?\..*: W: dangling-relative-symlink /usr/share/doc/git/contrib/hooks ../../../git-core/contrib/hooks") diff --git a/git.spec b/git.spec index 0370ad6..2d1dea5 100644 --- a/git.spec +++ b/git.spec @@ -463,8 +463,6 @@ LDFLAGS = %{__global_ldflags} NEEDS_CRYPTO_WITH_SSL = 1 USE_LIBPCRE2 = 1 ETC_GITCONFIG = %{_sysconfdir}/gitconfig -DESTDIR = %{buildroot} -INSTALL = install -p GITWEB_PROJECTROOT = %{_localstatedir}/lib/git GNU_ROFF = 1 NO_CROSS_DIRECTORY_HARDLINKS = 1 @@ -512,18 +510,18 @@ rm -rf perl/Git/LoadCPAN{.pm,/} grep -rlZ '^use Git::LoadCPAN::' | xargs -r0 sed -i 's/Git::LoadCPAN:://g' %build -make %{?_smp_mflags} all %{?with_docs:doc} +%make_build all %{?with_docs:doc} make -C contrib/emacs %if %{libsecret} -make -C contrib/credential/libsecret/ +%make_build -C contrib/credential/libsecret/ %endif make -C contrib/credential/netrc/ -make -C contrib/diff-highlight/ +%make_build -C contrib/diff-highlight/ -make -C contrib/subtree/ +%make_build -C contrib/subtree/ # Fix shebang in a few places to silence rpmlint complaints # @@ -546,7 +544,7 @@ sed -i -e '1s@#!\( */usr/bin/env python\|%{__python2}\)$@#!%{__python3}@' \ %endif %install -make %{?_smp_mflags} install %{?with_docs:install-doc} +%make_install %{?with_docs:install-doc} # symlink %%{gitexecdir} copies of git, git-shell, and git-upload-pack for i in git git-shell git-upload-pack; do @@ -570,7 +568,7 @@ install -pm 755 contrib/credential/libsecret/git-credential-libsecret \ install -pm 755 contrib/credential/netrc/git-credential-netrc \ %{buildroot}%{gitexecdir} -make -C contrib/subtree install %{?with_docs:install-doc} +%make_install -C contrib/subtree %{?with_docs:install-doc} mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d install -pm 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/httpd/conf.d/%{gitweb_httpd_conf} @@ -904,6 +902,7 @@ make test || ./print-failed-test-output %changelog * Wed May 30 2018 Todd Zullinger - Disable jgit tests on s390x, they're unreliable +- Use %%make_build and %%make_install * Tue May 29 2018 Todd Zullinger - 2.17.1-2 - packfile: Correct zlib buffer handling (#1582555) From 40ad8d51f5e96f6034f41e53c8bb20be87a3937e Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 1 Jun 2018 15:38:04 -0400 Subject: [PATCH 3/6] add -p: fix counting empty context lines in edited patches References: https://github.com/gitster/git/commit/f2cb01d35 https://public-inbox.org/git/20180601174644.13055-1-phillip.wood@talktalk.net/ (cherry picked from commit 572ec3935e19ac1789effb973948a4237a8f1ac5) --- ...ng-empty-context-lines-in-edited-pat.patch | 99 +++++++++++++++++++ git.spec | 5 + 2 files changed, 104 insertions(+) create mode 100644 0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch diff --git a/0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch b/0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch new file mode 100644 index 0000000..6d36fe5 --- /dev/null +++ b/0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch @@ -0,0 +1,99 @@ +From 5be233541a4fc2e395087fe51a30a3664165e8bc Mon Sep 17 00:00:00 2001 +From: Phillip Wood +Date: Fri, 1 Jun 2018 18:46:44 +0100 +Subject: [PATCH] add -p: fix counting empty context lines in edited patches + +recount_edited_hunk() introduced in commit 2b8ea7f3c7 ("add -p: +calculate offset delta for edited patches", 2018-03-05) required all +context lines to start with a space, empty lines are not counted. This +was intended to avoid any recounting problems if the user had +introduced empty lines at the end when editing the patch. However this +introduced a regression into 'git add -p' as it seems it is common for +editors to strip the trailing whitespace from empty context lines when +patches are edited thereby introducing empty lines that should be +counted. 'git apply' knows how to deal with such empty lines and POSIX +states that whether or not there is an space on an empty context line +is implementation defined [1]. + +Fix the regression by counting lines consist solely of a newline as +well as lines starting with a space as context lines and add a test to +prevent future regressions. + +[1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/diff.html + +Reported-by: Mahmoud Al-Qudsi +Reported-by: Oliver Joseph Ash +Reported-by: Jeff Felchner +Signed-off-by: Phillip Wood +--- + git-add--interactive.perl | 2 +- + t/t3701-add-interactive.sh | 43 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/git-add--interactive.perl b/git-add--interactive.perl +index c1f52e457f..befbe8c749 100755 +--- a/git-add--interactive.perl ++++ b/git-add--interactive.perl +@@ -1055,7 +1055,7 @@ sub recount_edited_hunk { + $o_cnt++; + } elsif ($mode eq '+') { + $n_cnt++; +- } elsif ($mode eq ' ') { ++ } elsif ($mode eq ' ' or $_ eq "\n") { + $o_cnt++; + $n_cnt++; + } +diff --git a/t/t3701-add-interactive.sh b/t/t3701-add-interactive.sh +index b170fb02b8..3e9139dca8 100755 +--- a/t/t3701-add-interactive.sh ++++ b/t/t3701-add-interactive.sh +@@ -175,6 +175,49 @@ test_expect_success 'real edit works' ' + diff_cmp expected output + ' + ++test_expect_success 'setup file' ' ++ test_write_lines a "" b "" c >file && ++ git add file && ++ test_write_lines a "" d "" c >file ++' ++ ++test_expect_success 'setup patch' ' ++ SP=" " && ++ NULL="" && ++ cat >patch <<-EOF ++ @@ -1,4 +1,4 @@ ++ a ++ $NULL ++ -b ++ +f ++ $SP ++ c ++ EOF ++' ++ ++test_expect_success 'setup expected' ' ++ cat >expected <<-EOF ++ diff --git a/file b/file ++ index b5dd6c9..f910ae9 100644 ++ --- a/file ++ +++ b/file ++ @@ -1,5 +1,5 @@ ++ a ++ $SP ++ -f ++ +d ++ $SP ++ c ++ EOF ++' ++ ++test_expect_success 'edit can strip spaces from empty context lines' ' ++ test_write_lines e n q | git add -p 2>error && ++ test_must_be_empty error && ++ git diff >output && ++ diff_cmp expected output ++' ++ + test_expect_success 'skip files similarly as commit -a' ' + git reset && + echo file >.gitignore && diff --git a/git.spec b/git.spec index 2d1dea5..a564b84 100644 --- a/git.spec +++ b/git.spec @@ -126,6 +126,9 @@ Patch4: 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch # https://bugzilla.redhat.com/1582555 # https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/ Patch5: 0001-packfile-Correct-zlib-buffer-handling.patch +# https://github.com/gitster/git/commit/f2cb01d35 +# https://public-inbox.org/git/20180601174644.13055-1-phillip.wood@talktalk.net/ +Patch6: 0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch %if %{with docs} BuildRequires: asciidoc >= 8.4.1 @@ -437,6 +440,7 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir %ifarch aarch64 %patch5 -p1 %endif +%patch6 -p1 # Install print-failed-test-output script install -p -m 755 %{SOURCE99} print-failed-test-output @@ -903,6 +907,7 @@ make test || ./print-failed-test-output * Wed May 30 2018 Todd Zullinger - Disable jgit tests on s390x, they're unreliable - Use %%make_build and %%make_install +- add -p: fix counting empty context lines in edited patches * Tue May 29 2018 Todd Zullinger - 2.17.1-2 - packfile: Correct zlib buffer handling (#1582555) From 6bb36d26416efb5d69538a47c14102bd3824e8f6 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 30 May 2018 14:03:42 -0400 Subject: [PATCH 4/6] Apply upstream zlib buffer handling patch (#1582555) With the patch accepted upstream, apply it to all architectures and return to using %autosetup. --- ...ackfile-Correct-zlib-buffer-handling.patch | 50 ------------------- ...ackfile-correct-zlib-buffer-handling.patch | 38 ++++++++++++++ git.spec | 23 +++------ 3 files changed, 45 insertions(+), 66 deletions(-) delete mode 100644 0001-packfile-Correct-zlib-buffer-handling.patch create mode 100644 0001-packfile-correct-zlib-buffer-handling.patch diff --git a/0001-packfile-Correct-zlib-buffer-handling.patch b/0001-packfile-Correct-zlib-buffer-handling.patch deleted file mode 100644 index 7de2b9a..0000000 --- a/0001-packfile-Correct-zlib-buffer-handling.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 0255347aed203301302e3f8e39fa87349e178019 Mon Sep 17 00:00:00 2001 -From: Jeremy Linton -Date: Fri, 25 May 2018 17:56:01 -0500 -Subject: [PATCH] packfile: Correct zlib buffer handling - -The buffer being passed to zlib includes a null terminator that -git needs to keep in place. unpack_compressed_entry() attempts to -detect the case that the source buffer hasn't been fully consumed -by checking to see if the destination buffer has been over consumed. - -This yields two problems, first a single byte overrun won't be detected -properly because the Z_STREAM_END will then be set, but the null -terminator will have been overwritten. The other problem is that -more recent zlib patches have been poisoning the unconsumed portions -of the buffers which also overwrites the null, while correctly -returning length and status. - -Lets rely on the fact that the source buffer will only be fully -consumed when the when the destination buffer is inflated to the -correct size. We can do this by passing zlib the correct buffer size -and properly checking the return status. The latter check actually -already exists if the buffer size is correct. - -Signed-off-by: Jeremy Linton ---- - packfile.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/packfile.c b/packfile.c -index 7c1a2519fc..245eb32041 100644 ---- a/packfile.c -+++ b/packfile.c -@@ -1416,7 +1416,7 @@ static void *unpack_compressed_entry(struct packed_git *p, - return NULL; - memset(&stream, 0, sizeof(stream)); - stream.next_out = buffer; -- stream.avail_out = size + 1; -+ stream.avail_out = size; - - git_inflate_init(&stream); - do { -@@ -1424,7 +1424,7 @@ static void *unpack_compressed_entry(struct packed_git *p, - stream.next_in = in; - st = git_inflate(&stream, Z_FINISH); - if (!stream.avail_out) -- break; /* the payload is larger than it should be */ -+ break; /* done, st indicates if source fully consumed */ - curpos += stream.next_in - in; - } while (st == Z_OK || st == Z_BUF_ERROR); - git_inflate_end(&stream); diff --git a/0001-packfile-correct-zlib-buffer-handling.patch b/0001-packfile-correct-zlib-buffer-handling.patch new file mode 100644 index 0000000..94b646e --- /dev/null +++ b/0001-packfile-correct-zlib-buffer-handling.patch @@ -0,0 +1,38 @@ +From b611396e97cba09c7e1cf900190cf1a9e922546e Mon Sep 17 00:00:00 2001 +From: Jeremy Linton +Date: Wed, 13 Jun 2018 09:22:07 -0500 +Subject: [PATCH] packfile: correct zlib buffer handling + +The buffer being passed to zlib includes a NUL terminator that git +needs to keep in place. unpack_compressed_entry() attempts to detect +the case that the source buffer hasn't been fully consumed by +checking to see if the destination buffer has been over consumed. + +This causes a problem, that more recent zlib patches have been +poisoning the unconsumed portions of the buffer which overwrites +the NUL byte, while correctly returning length and status. + +Let's place the NUL at the end of the buffer after inflate returns +to assure that it doesn't result in problems for git even if its +been overwritten by zlib. + +Signed-off-by: Jeremy Linton +Signed-off-by: Junio C Hamano +--- + packfile.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/packfile.c b/packfile.c +index 4a5fe7ab18838..d55569921793e 100644 +--- a/packfile.c ++++ b/packfile.c +@@ -1422,6 +1422,9 @@ static void *unpack_compressed_entry(struct packed_git *p, + return NULL; + } + ++ /* versions of zlib can clobber unconsumed portion of outbuf */ ++ buffer[size] = '\0'; ++ + return buffer; + } + diff --git a/git.spec b/git.spec index a564b84..ea6cdf0 100644 --- a/git.spec +++ b/git.spec @@ -83,7 +83,7 @@ Name: git Version: 2.17.1 -Release: 2%{?rcrev}%{?dist} +Release: 3%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -124,8 +124,9 @@ Patch3: 0001-daemon.c-fix-condition-for-redirecting-stderr.patch # https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/ Patch4: 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch # https://bugzilla.redhat.com/1582555 +# https://github.com/gitster/git/commit/b611396e97.patch # https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/ -Patch5: 0001-packfile-Correct-zlib-buffer-handling.patch +Patch5: 0001-packfile-correct-zlib-buffer-handling.patch # https://github.com/gitster/git/commit/f2cb01d35 # https://public-inbox.org/git/20180601174644.13055-1-phillip.wood@talktalk.net/ Patch6: 0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch @@ -427,20 +428,7 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir # Ensure a blank line follows autosetup, el6 chokes otherwise # https://bugzilla.redhat.com/1310704 -#autosetup -p1 -n %{name}-%{version}%{?rcrev} - -# Setup/apply patches manually to limit the zlib patch to aarch64 -# until it is accepted upstream -%setup -q -n %{name}-%{version}%{?rcrev} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%ifarch aarch64 -%patch5 -p1 -%endif -%patch6 -p1 +%autosetup -p1 -n %{name}-%{version}%{?rcrev} # Install print-failed-test-output script install -p -m 755 %{SOURCE99} print-failed-test-output @@ -904,6 +892,9 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Thu Jun 14 2018 Todd Zullinger - 2.17.1-3 +- Apply upstream zlib buffer handling patch (#1582555) + * Wed May 30 2018 Todd Zullinger - Disable jgit tests on s390x, they're unreliable - Use %%make_build and %%make_install From 3718546d068d89e794cfd7aae9b6385935caf0f3 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 5 Oct 2018 15:27:01 -0400 Subject: [PATCH 5/6] Update to 2.17.2 (CVE-2018-17456) From the upstream release announcement: These releases fix a security flaw (CVE-2018-17456), which allowed an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a "git clone" subprocess. If the URL field is set to a string that begins with a dash, this "git clone" subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran "git clone". In addition to fixing the security issue for the user running "clone", the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can be used to detect such malicious repository content when fetching or accepting a push. See "transfer.fsckObjects" in git-config(1). Credit for finding and fixing this vulnerability goes to joernchen and Jeff King, respectively. References: https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/ --- git.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/git.spec b/git.spec index ea6cdf0..4cc3d5a 100644 --- a/git.spec +++ b/git.spec @@ -82,8 +82,8 @@ #global rcrev .rc0 Name: git -Version: 2.17.1 -Release: 3%{?rcrev}%{?dist} +Version: 2.17.2 +Release: 1%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -892,6 +892,9 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Fri Oct 05 2018 Todd Zullinger - 2.17.2-1 +- Update to 2.17.2 (CVE-2018-17456) + * Thu Jun 14 2018 Todd Zullinger - 2.17.1-3 - Apply upstream zlib buffer handling patch (#1582555) diff --git a/sources b/sources index 09e10ec..32b8051 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.17.1.tar.xz) = 77c27569d40fbae1842130baa0cdda674a02e384631bd8fb1f2ddf67ce372dd4903b2ce6b4283a4ae506cdedd5daa55baa2afe6a6689528511e24e4beb864960 -SHA512 (git-2.17.1.tar.sign) = 90fd436a1df4a154afa36a4aaea8fa447db703ca42197f5f4507c81f96076d5f20006c265506326958f5e0b670b72b11bc37ae4bebbfee0f6ba9d9274cf71017 +SHA512 (git-2.17.2.tar.xz) = 2203a0437836360cafb0052b0f34a86363b81262d7547d1ed15dcad435a85170d85c385cb2d8406085e21004ed81ae3c55080b1e47a1cf094cb4190b98d9d6c1 +SHA512 (git-2.17.2.tar.sign) = 4c2e6aba73848d6983f6b9bc23296de2480cc99bf83568c765ea111d10b7f9745be618ce4211ad31ff3eecfb493ea56ef2352f204c3785da817501d6645608a8 From 76a7cec2c4c4425d637357557b71042061a2a2ae Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Mon, 26 Nov 2018 11:15:21 -0500 Subject: [PATCH 6/6] apply upstream run-command PATH fix (CVE-2018-19486) References: https://github.com/git/git/commit/321fd82389 --- ...-mark-path-lookup-errors-with-ENOENT.patch | 132 ++++++++++++++++++ git.spec | 8 +- 2 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 0001-run-command-mark-path-lookup-errors-with-ENOENT.patch diff --git a/0001-run-command-mark-path-lookup-errors-with-ENOENT.patch b/0001-run-command-mark-path-lookup-errors-with-ENOENT.patch new file mode 100644 index 0000000..e01262d --- /dev/null +++ b/0001-run-command-mark-path-lookup-errors-with-ENOENT.patch @@ -0,0 +1,132 @@ +From 321fd82389742398d2924640ce3a61791fd27d60 Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Wed, 24 Oct 2018 03:38:00 -0400 +Subject: [PATCH] run-command: mark path lookup errors with ENOENT + +Since commit e3a434468f (run-command: use the +async-signal-safe execv instead of execvp, 2017-04-19), +prepare_cmd() does its own PATH lookup for any commands we +run (on non-Windows platforms). + +However, its logic does not match the old execvp call when +we fail to find a matching entry in the PATH. Instead of +feeding the name directly to execv, execvp would consider +that an ENOENT error. By continuing and passing the name +directly to execv, we effectively behave as if "." was +included at the end of the PATH. This can have confusing and +even dangerous results. + +The fix itself is pretty straight-forward. There's a new +test in t0061 to cover this explicitly, and I've also added +a duplicate of the ENOENT test to ensure that we return the +correct errno for this case. + +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +--- + run-command.c | 21 +++++++++++++++++---- + t/t0061-run-command.sh | 13 ++++++++++++- + 2 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/run-command.c b/run-command.c +index 014b2165b5a2f..8d42a4f534f7a 100644 +--- a/run-command.c ++++ b/run-command.c +@@ -378,7 +378,7 @@ static void child_err_spew(struct child_process *cmd, struct child_err *cerr) + set_error_routine(old_errfn); + } + +-static void prepare_cmd(struct argv_array *out, const struct child_process *cmd) ++static int prepare_cmd(struct argv_array *out, const struct child_process *cmd) + { + if (!cmd->argv[0]) + die("BUG: command is empty"); +@@ -401,16 +401,22 @@ static void prepare_cmd(struct argv_array *out, const struct child_process *cmd) + /* + * If there are no '/' characters in the command then perform a path + * lookup and use the resolved path as the command to exec. If there +- * are no '/' characters or if the command wasn't found in the path, +- * have exec attempt to invoke the command directly. ++ * are '/' characters, we have exec attempt to invoke the command ++ * directly. + */ + if (!strchr(out->argv[1], '/')) { + char *program = locate_in_PATH(out->argv[1]); + if (program) { + free((char *)out->argv[1]); + out->argv[1] = program; ++ } else { ++ argv_array_clear(out); ++ errno = ENOENT; ++ return -1; + } + } ++ ++ return 0; + } + + static char **prep_childenv(const char *const *deltaenv) +@@ -635,6 +641,12 @@ int start_command(struct child_process *cmd) + struct child_err cerr; + struct atfork_state as; + ++ if (prepare_cmd(&argv, cmd) < 0) { ++ failed_errno = errno; ++ cmd->pid = -1; ++ goto end_of_spawn; ++ } ++ + if (pipe(notify_pipe)) + notify_pipe[0] = notify_pipe[1] = -1; + +@@ -645,7 +657,6 @@ int start_command(struct child_process *cmd) + set_cloexec(null_fd); + } + +- prepare_cmd(&argv, cmd); + childenv = prep_childenv(cmd->env); + atfork_prepare(&as); + +@@ -773,6 +784,8 @@ int start_command(struct child_process *cmd) + argv_array_clear(&argv); + free(childenv); + } ++end_of_spawn: ++ + #else + { + int fhin = 0, fhout = 1, fherr = 2; +diff --git a/t/t0061-run-command.sh b/t/t0061-run-command.sh +index e4739170aa2b7..0303ddbb6440f 100755 +--- a/t/t0061-run-command.sh ++++ b/t/t0061-run-command.sh +@@ -13,10 +13,14 @@ cat >hello-script <<-EOF + EOF + >empty + +-test_expect_success 'start_command reports ENOENT' ' ++test_expect_success 'start_command reports ENOENT (slash)' ' + test-run-command start-command-ENOENT ./does-not-exist + ' + ++test_expect_success 'start_command reports ENOENT (no slash)' ' ++ test-run-command start-command-ENOENT does-not-exist ++' ++ + test_expect_success 'run_command can run a command' ' + cat hello-script >hello.sh && + chmod +x hello.sh && +@@ -26,6 +30,13 @@ test_expect_success 'run_command can run a command' ' + test_cmp empty err + ' + ++test_expect_success 'run_command is restricted to PATH' ' ++ write_script should-not-run <<-\EOF && ++ echo yikes ++ EOF ++ test_must_fail test-run-command run-command should-not-run ++' ++ + test_expect_success !MINGW 'run_command can run a script without a #! line' ' + cat >hello <<-\EOF && + cat hello-script diff --git a/git.spec b/git.spec index 4cc3d5a..4f4b74b 100644 --- a/git.spec +++ b/git.spec @@ -83,7 +83,7 @@ Name: git Version: 2.17.2 -Release: 1%{?rcrev}%{?dist} +Release: 2%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -130,6 +130,9 @@ Patch5: 0001-packfile-correct-zlib-buffer-handling.patch # https://github.com/gitster/git/commit/f2cb01d35 # https://public-inbox.org/git/20180601174644.13055-1-phillip.wood@talktalk.net/ Patch6: 0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch +# https://bugzilla.redhat.com/1653143 +# https://github.com/git/git/commit/321fd82389.patch +Patch7: 0001-run-command-mark-path-lookup-errors-with-ENOENT.patch %if %{with docs} BuildRequires: asciidoc >= 8.4.1 @@ -892,6 +895,9 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Mon Nov 26 2018 Todd Zullinger - 2.17.2-2 +- apply upstream run-command PATH fix (CVE-2018-19486) + * Fri Oct 05 2018 Todd Zullinger - 2.17.2-1 - Update to 2.17.2 (CVE-2018-17456)