From 89edc4e1e3205285457a97a0bdbcba6a101b24b7 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Tue, 10 Dec 2019 13:40:55 -0500
Subject: [PATCH 1/3] update to 2.21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per the upstream release announcement¹, this release fixes "various
security flaws, which allowed an attacker to overwrite arbitrary paths,
remotely execute code, and/or overwrite files in the .git/ directory
etc.  See the release notes attached for the list for their descriptions
and CVE identifiers."

Refer to the 2.14.6 release notes² for details on these vulnerabilities.

¹ https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
² https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.14.6.txt
---
 git.spec | 6 +++++-
 sources  | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/git.spec b/git.spec
index 2156ad8..1586104 100644
--- a/git.spec
+++ b/git.spec
@@ -87,7 +87,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.21.0
+Version:        2.21.1
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -955,6 +955,10 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Tue Dec 10 2019 Todd Zullinger <tmz@pobox.com> - 2.21.1-1
+- update to 2.21.1 (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
+  CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387)
+
 * Sun Feb 24 2019 Todd Zullinger <tmz@pobox.com> - 2.21.0-1
 - Update to 2.21.0
 - Move gitweb manpages to gitweb package
diff --git a/sources b/sources
index 985255b..1435656 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.21.0.tar.xz) = 83f57c3950a07f6773a3aea66611d22daba0e5599e5d8f0751a16f6fdbeab0f3844d942a39a5642051212df99d1d4513253c36829b1454b4f0977cc6026fd973
-SHA512 (git-2.21.0.tar.sign) = fbde8164e0c6d5f1447849ab573d5fe6d3585c1c463b75a81ce3f65cba0559cb84a2c63f13663e5c7fe5119e607a304e52cb13183babc40da72421a5c1a5db1b
+SHA512 (git-2.21.1.tar.xz) = c4f1930effe4b7cddbdc3a5ea0f1503683089d5dfdae491dd7f752f35b655b31fbef569a993ef412962cf9c74a225eafe095f792d493f37b20789e5c643261a1
+SHA512 (git-2.21.1.tar.sign) = c27dc5a4de9ee136cd5a97d7fca7349de7c94c18e809925584c6bf0df9e71325c4d6706f20cae9101d1a8eb437f45cf9d1b4c00689c116a9fba1e36e870ed345

From 3ce6d1e52047497d53cdf303a96342b136249228 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Tue, 14 Apr 2020 17:53:38 -0400
Subject: [PATCH 2/3] update to 2.21.2 (CVE-2020-5260)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From the upstream release notes¹:

  With a crafted URL that contains a newline in it, the credential
  helper machinery can be fooled to give credential information for
  a wrong host.  The attack has been made impossible by forbidding
  a newline character in any value passed via the credential
  protocol.

¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.4.txt
---
 git.spec | 5 ++++-
 sources  | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/git.spec b/git.spec
index 1586104..8db760d 100644
--- a/git.spec
+++ b/git.spec
@@ -87,7 +87,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.21.1
+Version:        2.21.2
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -955,6 +955,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Tue Apr 14 2020 Todd Zullinger <tmz@pobox.com> - 2.21.2-1
+- update to 2.21.2 (CVE-2020-5260)
+
 * Tue Dec 10 2019 Todd Zullinger <tmz@pobox.com> - 2.21.1-1
 - update to 2.21.1 (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
   CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387)
diff --git a/sources b/sources
index 1435656..5fb8489 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.21.1.tar.xz) = c4f1930effe4b7cddbdc3a5ea0f1503683089d5dfdae491dd7f752f35b655b31fbef569a993ef412962cf9c74a225eafe095f792d493f37b20789e5c643261a1
-SHA512 (git-2.21.1.tar.sign) = c27dc5a4de9ee136cd5a97d7fca7349de7c94c18e809925584c6bf0df9e71325c4d6706f20cae9101d1a8eb437f45cf9d1b4c00689c116a9fba1e36e870ed345
+SHA512 (git-2.21.2.tar.xz) = 8c7cff8c0b5893f73a915a6dd54aae830c40bc26ba0f726e3c87d913fd333a4bfbfbb5a963e000821c2150d1032fe85b2828b6e644d25cb59c9cbfa4903a2992
+SHA512 (git-2.21.2.tar.sign) = bbf2557f30b4be3f9ed1948fc46e17e99518a77890a09fdafbf5d6db1b09fd841baa40336ca0ea1ce0aa9a04c63be781c0add22eb3b35fbaaef31092e43406b0

From 376a76c4a7fb07a9b311670ad250d9b7585aba58 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Mon, 20 Apr 2020 15:07:46 -0400
Subject: [PATCH 3/3] update to 2.21.3 (CVE-2020-11008)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From the upstream release notes¹:

  With a crafted URL that contains a newline or empty host, or lacks
  a scheme, the credential helper machinery can be fooled into
  providing credential information that is not appropriate for the
  protocol in use and host being contacted.

  Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
  credentials are not for a host of the attacker's choosing; instead,
  they are for some unspecified host (based on how the configured
  credential helper handles an absent "host" parameter).

  The attack has been made impossible by refusing to work with
  under-specified credential patterns.

¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt
---
 git.spec | 5 ++++-
 sources  | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/git.spec b/git.spec
index 8db760d..fec775a 100644
--- a/git.spec
+++ b/git.spec
@@ -87,7 +87,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.21.2
+Version:        2.21.3
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -955,6 +955,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Mon Apr 20 2020 Todd Zullinger <tmz@pobox.com> - 2.21.3-1
+- update to 2.21.3 (CVE-2020-11008)
+
 * Tue Apr 14 2020 Todd Zullinger <tmz@pobox.com> - 2.21.2-1
 - update to 2.21.2 (CVE-2020-5260)
 
diff --git a/sources b/sources
index 5fb8489..00df916 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.21.2.tar.xz) = 8c7cff8c0b5893f73a915a6dd54aae830c40bc26ba0f726e3c87d913fd333a4bfbfbb5a963e000821c2150d1032fe85b2828b6e644d25cb59c9cbfa4903a2992
-SHA512 (git-2.21.2.tar.sign) = bbf2557f30b4be3f9ed1948fc46e17e99518a77890a09fdafbf5d6db1b09fd841baa40336ca0ea1ce0aa9a04c63be781c0add22eb3b35fbaaef31092e43406b0
+SHA512 (git-2.21.3.tar.xz) = d87f8058519ab447d7833735635c8b176c74d3d2ae97ebeecaccdb7bd4056b9be37d2d770c6176cfafdd71e0d6b601515f1d4070e0c75b2fa664be9eb8525373
+SHA512 (git-2.21.3.tar.sign) = 6072eded2637edfa8bf7724ce05abef74832fb775e35101405e334a720ff5cb2b9be6bfd609fd14cea5903d10bbb336165eb06027db463da3795b22da63c0d24