From ed693e32ba92f16ac141d5b925019abe1c05b807 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Tue, 7 Nov 2017 12:06:00 -0500 Subject: [PATCH 1/6] Fix git clone memory exhaustion (CVE-2017-15298) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cherry-pick upstream patch from a937b37e76 (revision: quit pruning diff more quickly when possible, 2017-10-13)¹. Resolves: #1510455, #1510457 ¹ https://github.com/git/git/commit/a937b37e76 --- ...uning-diff-more-quickly-when-possibl.patch | 129 ++++++++++++++++++ git.spec | 11 +- 2 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch diff --git a/0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch b/0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch new file mode 100644 index 0000000..9d428cf --- /dev/null +++ b/0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch @@ -0,0 +1,129 @@ +From fffa73135ec366040b4570e386736afcd9fc4715 Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Fri, 13 Oct 2017 11:27:45 -0400 +Subject: [PATCH] revision: quit pruning diff more quickly when possible + +When the revision traversal machinery is given a pathspec, +we must compute the parent-diff for each commit to determine +which ones are TREESAME. We set the QUICK diff flag to avoid +looking at more entries than we need; we really just care +whether there are any changes at all. + +But there is one case where we want to know a bit more: if +--remove-empty is set, we care about finding cases where the +change consists only of added entries (in which case we may +prune the parent in try_to_simplify_commit()). To cover that +case, our file_add_remove() callback does not quit the diff +upon seeing an added entry; it keeps looking for other types +of entries. + +But this means when --remove-empty is not set (and it is not +by default), we compute more of the diff than is necessary. +You can see this in a pathological case where a commit adds +a very large number of entries, and we limit based on a +broad pathspec. E.g.: + + perl -e ' + chomp(my $blob = `git hash-object -w --stdin remove_empty_trees. This callback parameter could be +passed to the "add_remove" and "change" callbacks, but +there's not much point. They already receive the +diff_options struct, and doing it this way avoids having to +update the function signature of the other callbacks +(arguably the format_callback and output_prefix functions +could benefit from the same simplification). + +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +(cherry picked from commit a937b37e766479c8e780b17cce9c4b252fd97e40) +--- + diff.h | 1 + + revision.c | 16 +++++++++++++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/diff.h b/diff.h +index 2d442e296f..142a2f24f2 100644 +--- a/diff.h ++++ b/diff.h +@@ -180,6 +180,7 @@ struct diff_options { + pathchange_fn_t pathchange; + change_fn_t change; + add_remove_fn_t add_remove; ++ void *change_fn_data; + diff_format_fn_t format_callback; + void *format_callback_data; + diff_prefix_fn_t output_prefix; +diff --git a/revision.c b/revision.c +index 7da0907c85..1770f9ec33 100644 +--- a/revision.c ++++ b/revision.c +@@ -392,8 +392,16 @@ static struct commit *one_relevant_parent(const struct rev_info *revs, + * if the whole diff is removal of old data, and otherwise + * REV_TREE_DIFFERENT (of course if the trees are the same we + * want REV_TREE_SAME). +- * That means that once we get to REV_TREE_DIFFERENT, we do not +- * have to look any further. ++ * ++ * The only time we care about the distinction is when ++ * remove_empty_trees is in effect, in which case we care only about ++ * whether the whole change is REV_TREE_NEW, or if there's another type ++ * of change. Which means we can stop the diff early in either of these ++ * cases: ++ * ++ * 1. We're not using remove_empty_trees at all. ++ * ++ * 2. We saw anything except REV_TREE_NEW. + */ + static int tree_difference = REV_TREE_SAME; + +@@ -404,9 +412,10 @@ static void file_add_remove(struct diff_options *options, + const char *fullpath, unsigned dirty_submodule) + { + int diff = addremove == '+' ? REV_TREE_NEW : REV_TREE_OLD; ++ struct rev_info *revs = options->change_fn_data; + + tree_difference |= diff; +- if (tree_difference == REV_TREE_DIFFERENT) ++ if (!revs->remove_empty_trees || tree_difference != REV_TREE_NEW) + DIFF_OPT_SET(options, HAS_CHANGES); + } + +@@ -1345,6 +1354,7 @@ void init_revisions(struct rev_info *revs, const char *prefix) + DIFF_OPT_SET(&revs->pruning, QUICK); + revs->pruning.add_remove = file_add_remove; + revs->pruning.change = file_change; ++ revs->pruning.change_fn_data = revs; + revs->sort_order = REV_SORT_IN_GRAPH_ORDER; + revs->dense = 1; + revs->prefix = prefix; +-- +2.15.0 + diff --git a/git.spec b/git.spec index 62ef4fc..491f8fc 100644 --- a/git.spec +++ b/git.spec @@ -45,7 +45,7 @@ Name: git Version: 2.14.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -76,6 +76,10 @@ Patch0: git-1.8-gitweb-home-link.patch # https://bugzilla.redhat.com/490602 Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch +# https://bugzilla.redhat.com/1510455 (CVE-2017-15298) +# https://github.com/git/git/commit/a937b37e76 +Patch2: 0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! 0%{?_without_docs} @@ -346,6 +350,7 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 # Remove git-archimport from command list sed -i '/^git-archimport/d' command-list.txt @@ -730,6 +735,10 @@ rm -rf %{buildroot} # No files for you! %changelog +* Tue Nov 07 2017 Todd Zullinger - 2.14.3-2 +- Fix git-clone memory exhaustion (CVE-2017-15298) + Resolves: #1510455, #1510457 + * Mon Oct 23 2017 Todd Zullinger - 2.14.3-1 - Update to 2.14.3 From be2f446161afd5e67ab3cbb06676ac86b7573622 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 16 Feb 2018 14:39:52 -0500 Subject: [PATCH 2/6] git-svn: avoid segfaults in 'git svn branch' Reference: https://public-inbox.org/git/20180129231653.GA22834@starla/ --- ...-destruction-order-to-avoid-segfault.patch | 40 +++++++++++++++++++ git.spec | 9 ++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0001-git-svn-control-destruction-order-to-avoid-segfault.patch diff --git a/0001-git-svn-control-destruction-order-to-avoid-segfault.patch b/0001-git-svn-control-destruction-order-to-avoid-segfault.patch new file mode 100644 index 0000000..8518dd5 --- /dev/null +++ b/0001-git-svn-control-destruction-order-to-avoid-segfault.patch @@ -0,0 +1,40 @@ +From 7f6f75e97acd25f8e95ce431e16d2e1c2093845d Mon Sep 17 00:00:00 2001 +From: Eric Wong +Date: Mon, 29 Jan 2018 23:11:07 +0000 +Subject: [PATCH] git-svn: control destruction order to avoid segfault + +It seems necessary to control destruction ordering to avoid a +segfault with SVN 1.9.5 when using "git svn branch". I've also +reported the problem against libsvn-perl to Debian [Bug #888791], +but releasing the SVN::Client instance can be beneficial anyways to +save memory. + +ref: https://bugs.debian.org/888791 +Tested-by: Todd Zullinger +Reported-by: brian m. carlson +Signed-off-by: Eric Wong +Signed-off-by: Junio C Hamano +Signed-off-by: Todd Zullinger +--- + git-svn.perl | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/git-svn.perl b/git-svn.perl +index aa242d4f4f..b012980246 100755 +--- a/git-svn.perl ++++ b/git-svn.perl +@@ -1199,6 +1199,11 @@ sub cmd_branch { + $ctx->copy($src, $rev, $dst) + unless $_dry_run; + ++ # Release resources held by ctx before creating another SVN::Ra ++ # so destruction is orderly. This seems necessary with SVN 1.9.5 ++ # to avoid segfaults. ++ $ctx = undef; ++ + $gs->fetch_all; + } + +-- +2.16.1 + diff --git a/git.spec b/git.spec index 491f8fc..d8ecf8d 100644 --- a/git.spec +++ b/git.spec @@ -45,7 +45,7 @@ Name: git Version: 2.14.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -80,6 +80,9 @@ Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch # https://github.com/git/git/commit/a937b37e76 Patch2: 0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch +# https://github.com/git/git/commit/7f6f75e97a +Patch3: 0001-git-svn-control-destruction-order-to-avoid-segfault.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! 0%{?_without_docs} @@ -351,6 +354,7 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Remove git-archimport from command list sed -i '/^git-archimport/d' command-list.txt @@ -735,6 +739,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Fri Feb 16 2018 Todd Zullinger - 2.14.3-3 +- git-svn: avoid segfaults in 'git svn branch' + * Tue Nov 07 2017 Todd Zullinger - 2.14.3-2 - Fix git-clone memory exhaustion (CVE-2017-15298) Resolves: #1510455, #1510457 From 5150f8de3aca2d2c86931cb3c04ed3df09443dcd Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Thu, 15 Mar 2018 22:14:47 -0400 Subject: [PATCH 3/6] Install contrib/diff-highlight (#1550251) The script is installed at /usr/share/git-core/contrib/diff-highlight. Documentation is in /usr/share/doc/git/contrib/diff-highlight/README. (cherry picked from commit 440594446eae48ab9e5b0f2b6ec5a950d5dffb11) --- git.spec | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/git.spec b/git.spec index d8ecf8d..92b8bc0 100644 --- a/git.spec +++ b/git.spec @@ -45,7 +45,7 @@ Name: git Version: 2.14.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -417,6 +417,8 @@ make -C contrib/credential/libsecret/ %endif make -C contrib/credential/netrc/ +make -C contrib/diff-highlight/ + make -C contrib/subtree/ # Remove shebang from bash-completion script @@ -474,6 +476,11 @@ find %{buildroot} -type f -name perllocal.pod -exec rm -f {} ';' # Clean up contrib/credential to avoid cruft in the git-core-doc docdir rm -rf contrib/credential +# install contrib/diff-highlight and clean up to avoid cruft in git-core-doc +install -Dpm 0755 contrib/diff-highlight/diff-highlight \ + %{buildroot}%{_datadir}/git-core/contrib/diff-highlight +rm -rf contrib/diff-highlight/{Makefile,diff-highlight,*.perl,t} + # Clean up contrib/subtree to avoid cruft in the git-core-doc docdir rm -rf contrib/subtree/{INSTALL,Makefile,git-subtree{,.{1,html,sh,txt,xml}},t} @@ -609,6 +616,7 @@ rm -rf %{buildroot} %{elispdir} %{_emacs_sitestartdir}/git-init.el %endif +%{_datadir}/git-core/contrib/diff-highlight %{_datadir}/git-core/contrib/hooks/update-paranoid %{_datadir}/git-core/contrib/hooks/setgitperms.perl @@ -618,7 +626,8 @@ rm -rf %{buildroot} # be used elsewhere %{!?_licensedir:%global license %doc} %license COPYING -# exlude is best way here because of troubels with symlinks inside git-core/ +# exclude is best way here because of troubles with symlinks inside git-core/ +%exclude %{_datadir}/git-core/contrib/diff-highlight %exclude %{_datadir}/git-core/contrib/hooks/update-paranoid %exclude %{_datadir}/git-core/contrib/hooks/setgitperms.perl %{bashcomproot} @@ -739,6 +748,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu May 24 2018 Todd Zullinger - 2.14.3-4 +- Install contrib/diff-highlight (#1550251) + * Fri Feb 16 2018 Todd Zullinger - 2.14.3-3 - git-svn: avoid segfaults in 'git svn branch' From 90e87ed1e095b8d8cc69eff0e94365ec48d6a8cd Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Thu, 24 May 2018 14:03:46 -0400 Subject: [PATCH 4/6] Fix segfault in rev-parse with invalid input (#1581678) --- ...lookup-ed-commit-references-for-NULL.patch | 72 +++++++++++++++++++ git.spec | 6 ++ 2 files changed, 78 insertions(+) create mode 100644 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch diff --git a/0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch b/0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch new file mode 100644 index 0000000..0c685e4 --- /dev/null +++ b/0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch @@ -0,0 +1,72 @@ +From b03b51f889272622a3859a3765f1e7d1175b2346 Mon Sep 17 00:00:00 2001 +From: Elijah Newren +Date: Wed, 23 May 2018 23:27:33 -0700 +Subject: [PATCH] rev-parse: check lookup'ed commit references for NULL + +Commits 2122f8b963d4 ("rev-parse: Add support for the ^! and ^@ syntax", +2008-07-26) and 3dd4e7320d ("Teach rev-parse the ... syntax.", 2006-07-04) +taught rev-parse new syntax, and used lookup_commit_reference() as part of +their logic. Neither usage checked the returned commit to see if it was +non-NULL before using it. Check for NULL and ensure an appropriate error +is reported to the user. + +Reported by Florian Weimer and Todd Zullinger. + +Helped-by: Jeff King +Signed-off-by: Elijah Newren +Signed-off-by: Todd Zullinger +--- + builtin/rev-parse.c | 8 ++++++-- + t/t6101-rev-parse-parents.sh | 8 ++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/builtin/rev-parse.c b/builtin/rev-parse.c +index 7f965fe74e..fd8e52c7b7 100644 +--- a/builtin/rev-parse.c ++++ b/builtin/rev-parse.c +@@ -282,6 +282,10 @@ static int try_difference(const char *arg) + struct commit *a, *b; + a = lookup_commit_reference(&oid); + b = lookup_commit_reference(&end); ++ if (!a || !b) { ++ *dotdot = '.'; ++ return 0; ++ } + exclude = get_merge_bases(a, b); + while (exclude) { + struct commit *commit = pop_commit(&exclude); +@@ -328,12 +332,12 @@ static int try_parent_shorthands(const char *arg) + return 0; + + *dotdot = 0; +- if (get_sha1_committish(arg, oid.hash)) { ++ if (get_sha1_committish(arg, oid.hash) || ++ !(commit = lookup_commit_reference(&oid))) { + *dotdot = '^'; + return 0; + } + +- commit = lookup_commit_reference(&oid); + if (exclude_parent && + exclude_parent > commit_list_count(commit->parents)) { + *dotdot = '^'; +diff --git a/t/t6101-rev-parse-parents.sh b/t/t6101-rev-parse-parents.sh +index 8c617981a3..7683e4a114 100755 +--- a/t/t6101-rev-parse-parents.sh ++++ b/t/t6101-rev-parse-parents.sh +@@ -214,4 +214,12 @@ test_expect_success 'rev-list merge^-1x (garbage after ^-1)' ' + test_must_fail git rev-list merge^-1x + ' + ++test_expect_success 'rev-parse $garbage^@ does not segfault' ' ++ test_must_fail git rev-parse $EMPTY_TREE^@ ++' ++ ++test_expect_success 'rev-parse $garbage...$garbage does not segfault' ' ++ test_must_fail git rev-parse $EMPTY_TREE...$EMPTY_BLOB ++' ++ + test_done +-- +2.17.0 + diff --git a/git.spec b/git.spec index 92b8bc0..78a8ac5 100644 --- a/git.spec +++ b/git.spec @@ -83,6 +83,10 @@ Patch2: 0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch # https://github.com/git/git/commit/7f6f75e97a Patch3: 0001-git-svn-control-destruction-order-to-avoid-segfault.patch +# https://bugzilla.redhat.com/1581678 +# https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/ +Patch4: 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! 0%{?_without_docs} @@ -355,6 +359,7 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Remove git-archimport from command list sed -i '/^git-archimport/d' command-list.txt @@ -749,6 +754,7 @@ rm -rf %{buildroot} %changelog * Thu May 24 2018 Todd Zullinger - 2.14.3-4 +- Fix segfault in rev-parse with invalid input (#1581678) - Install contrib/diff-highlight (#1550251) * Fri Feb 16 2018 Todd Zullinger - 2.14.3-3 From c96eaff9933575c3e733497600d19908ba849d95 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Tue, 29 May 2018 13:20:54 -0400 Subject: [PATCH 5/6] Update to 2.14.4 (CVE-2018-11233, CVE-2018-11235) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes two security issues, described in the 2.13.7 release notes¹: * Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. * It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233). ¹ https://mirrors.edge.kernel.org/pub/software/scm/git/docs/RelNotes/2.13.7.txt --- git.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/git.spec b/git.spec index 78a8ac5..8d24bfa 100644 --- a/git.spec +++ b/git.spec @@ -44,8 +44,8 @@ %endif Name: git -Version: 2.14.3 -Release: 4%{?dist} +Version: 2.14.4 +Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -753,6 +753,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Tue May 29 2018 Todd Zullinger - 2.14.4-1 +- Update to 2.14.4 (CVE-2018-11233, CVE-2018-11235) + * Thu May 24 2018 Todd Zullinger - 2.14.3-4 - Fix segfault in rev-parse with invalid input (#1581678) - Install contrib/diff-highlight (#1550251) diff --git a/sources b/sources index 9477487..7a14dcb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.14.3.tar.xz) = e32e9ff904cbc2a77d78ca08953e3b69ac527c333a898dd053806e3d7e684ad4ae153ae7663b7ff9c16e2414c3189878a2e6c95fe9320b4af6cb1e7fa5102643 -SHA512 (git-2.14.3.tar.sign) = e0b6ab097cb12202fe033fd898a9063b78ac9f650161e24ef059057b3606100d8a847b2b48c7a07ab79af5d46f2ed0193af3d1f6da723851752ba1383d2c483d +SHA512 (git-2.14.4.tar.xz) = ddbc55f37d0a6a297426c666375543254dfe5dc2a5bb6c0a89143b70d1f1f811c121a9c16e7245289e71adb4b1d37e0749ef2c8252c5332485bebe85ccd2a266 +SHA512 (git-2.14.4.tar.sign) = 40bfcb2023aa1d85220cf4d76bb93d717ea3c77f9ad90120ae1fea4474f09030dad0816201e9c59b20922fa454bcefc2d6633dcac77e193966227fc801fb3224 From e873f774695bbbcc71bdb0acba9fe338f3d2cdbd Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 5 Oct 2018 15:18:02 -0400 Subject: [PATCH 6/6] Update to 2.14.5 (CVE-2018-17456) From the upstream release announcement: These releases fix a security flaw (CVE-2018-17456), which allowed an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. When running "git clone --recurse-submodules", Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a "git clone" subprocess. If the URL field is set to a string that begins with a dash, this "git clone" subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran "git clone". In addition to fixing the security issue for the user running "clone", the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can be used to detect such malicious repository content when fetching or accepting a push. See "transfer.fsckObjects" in git-config(1). Credit for finding and fixing this vulnerability goes to joernchen and Jeff King, respectively. References: https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/ --- git.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/git.spec b/git.spec index 8d24bfa..2ff3c6c 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ %endif Name: git -Version: 2.14.4 +Version: 2.14.5 Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 @@ -753,6 +753,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Fri Oct 05 2018 Todd Zullinger - 2.14.5-1 +- Update to 2.14.5 (CVE-2018-17456) + * Tue May 29 2018 Todd Zullinger - 2.14.4-1 - Update to 2.14.4 (CVE-2018-11233, CVE-2018-11235) diff --git a/sources b/sources index 7a14dcb..f10aaab 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.14.4.tar.xz) = ddbc55f37d0a6a297426c666375543254dfe5dc2a5bb6c0a89143b70d1f1f811c121a9c16e7245289e71adb4b1d37e0749ef2c8252c5332485bebe85ccd2a266 -SHA512 (git-2.14.4.tar.sign) = 40bfcb2023aa1d85220cf4d76bb93d717ea3c77f9ad90120ae1fea4474f09030dad0816201e9c59b20922fa454bcefc2d6633dcac77e193966227fc801fb3224 +SHA512 (git-2.14.5.tar.xz) = cd87ed857e0340cb95e7fd8adb19adc1fa51c80134be3b08fc5fb8846f5ef88bacf322d3a576ae35e5df9febfee7d8b337c48a4af7b6c98bcf30c8ce1cfc5308 +SHA512 (git-2.14.5.tar.sign) = 7df316948726f49443c141c8576a2f50f1909cf60d151952d0b1c29ccf1c9490ccdc004aa6c814319712ee7e8b7215846c8fe4a6752bf0a5accf8e8bfd2c5e44