From 6eb7905679ed6315b4cd1aaa42e1f620a598e1c8 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Tue, 9 Mar 2021 13:51:47 -0500
Subject: [PATCH 1/2] update to 2.30.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This release includes a fix for CVE-2021-21300¹.

Release notes:
https://github.com/git/git/raw/v2.30.2/Documentation/RelNotes/2.30.2.txt

¹ Per the 2.17.6 release notes on CVE-2021-21300:
    On case-insensitive file systems with support for symbolic links, if
    Git is configured globally to apply delay-capable clean/smudge
    filters (such as Git LFS), Git could be fooled into running remote
    code during a clone.
---
 git.spec | 7 +++++--
 sources  | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/git.spec b/git.spec
index 6fa4261..caf8df8 100644
--- a/git.spec
+++ b/git.spec
@@ -96,8 +96,8 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.30.1
-Release:        3%{?rcrev}%{?dist}
+Version:        2.30.2
+Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@@ -1070,6 +1070,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Tue Mar 09 2021 Todd Zullinger <tmz@pobox.com> - 2.30.2-1
+- update to 2.30.2 (CVE-2021-21300)
+
 * Tue Mar 02 2021 Todd Zullinger <tmz@pobox.com> - 2.30.1-3
 - use %%{gpgverify} macro to verify tarball signature
 
diff --git a/sources b/sources
index 8265a5c..de8021b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.30.1.tar.xz) = b3567d251c73807857f05f46cae3acb4e0d876590d122229c05509d5eb17fc3eee0ba97a1b2068070b399085f7a92aa2493c4833b98f65b8ef15fc279798caa3
-SHA512 (git-2.30.1.tar.sign) = 74f03e9b38fb33cfc8bf8d17ac108c769663acfd4b72c5fade4410b06b6c7c29479a82f58409ba780468f56e0ce24bc86f118e7f31060941067c34f02778f6e2
+SHA512 (git-2.30.2.tar.xz) = 4f7e1c30f8eee849d1febeda872d56c60c5d051a31726505a4c7bab11b274d3a2ab5588f910b7b49c5c0ec5228a18457f705c7b66e8bbdf809d3c75c59032b7e
+SHA512 (git-2.30.2.tar.sign) = 36aed3ddda7d60899970c63da7afd5e64a27d1a0998aaeabfcdb8f3865b5629f8b9b039cd3b23532d358b995bd700dfbe0624c48568ac102763498a1fc409b0c

From d90a306a7924046f2caf77e90846568c31456b8a Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Mon, 18 Apr 2022 15:00:52 -0400
Subject: [PATCH 2/2] update to 2.34.3 (#2073414, CVE-2022-24765)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per the upstream release notes from 2.30.3¹:

    This release addresses the security issue CVE-2022-24765.

     * CVE-2022-24765:
       On multi-user machines, Git users might find themselves
       unexpectedly in a Git worktree, e.g. when another user created a
       repository in `C:\.git`, in a mounted network drive or in a
       scratch space. Merely having a Git-aware prompt that runs `git
       status` (or `git diff`) and navigating to a directory which is
       supposedly not a Git worktree, or opening such a directory in an
       editor or IDE such as VS Code or Atom, will potentially run
       commands defined by that other user.

and 2.30.4²:

    This release contains minor fix-ups for the changes that went into
    Git 2.30.3, which was made to address CVE-2022-24765.

     * The code that was meant to parse the new `safe.directory`
       configuration variable was not checking what configuration
       variable was being fed to it, which has been corrected.

     * '*' can be used as the value for the `safe.directory` variable to
       signal that the user considers that any directory is safe.

¹ https://github.com/git/git/raw/v2.30.3/Documentation/RelNotes/2.30.3.txt
² https://github.com/git/git/raw/v2.30.4/Documentation/RelNotes/2.30.4.txt
---
 git.spec | 5 ++++-
 sources  | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/git.spec b/git.spec
index 14b000b..15b92a5 100644
--- a/git.spec
+++ b/git.spec
@@ -79,7 +79,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.34.1
+Version:        2.34.3
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -1008,6 +1008,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Mon Apr 18 2022 Todd Zullinger <tmz@pobox.com> - 2.34.3-1
+- update to 2.34.3 (#2073414, CVE-2022-24765)
+
 * Thu Nov 25 2021 Todd Zullinger <tmz@pobox.com> - 2.34.1-1
 - update to 2.34.1
 - fix gpgsm issues with gnupg-2.3
diff --git a/sources b/sources
index 9c138f8..a7aaf3b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.34.1.tar.xz) = a1a8e9e6f64b1da25508fbd2f783564dcdbe181fb5ff1ebab3bdac6db6094e18acc334479a1abf22ac17ce4f733cc3e10a664db9ab234cd523735a3f027b42db
-SHA512 (git-2.34.1.tar.sign) = a1111276e18da1a7b360e3ed3b8460034ea413b116482b0b66342f8873a9dd02a90f3f5bc7ad1e4b3c7f39ed55926a8155064b849e6e6bdf9478cb85b93f10b5
+SHA512 (git-2.34.3.tar.xz) = 6bf06b11257bdea48bf37e83c16a805a603c3712c08bd771fb08e09c4d26b53e949249ebbf5e6a58b36a16e2defd1ac09c54312669bd4a5a7d48efb4ec15f59a
+SHA512 (git-2.34.3.tar.sign) = 618501c751380c0e918ff6cb8d2ab40ebb95666c28f299916b1b89782b9c3028d1d87e7a0e4f8bb71b7e5488c3bd0c6528f93eeb3e04b42d922dd9d4ee420902