Update to 2.4.11 (CVE-2016-2315 CVE-2016-2324)

Resolves: #1269797

0001-transport-add-a-protocol-whitelist-environment-varia.patch

@@ -0,0 +1,207 @@
+From 0730270cd672467c12a3f3bf36336d169700269a Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 28 Oct 2015 17:22:13 +0100
+Subject: [PATCH 1/5] transport: add a protocol-whitelist environment variable
+
+If we are cloning an untrusted remote repository into a
+sandbox, we may also want to fetch remote submodules in
+order to get the complete view as intended by the other
+side. However, that opens us up to attacks where a malicious
+user gets us to clone something they would not otherwise
+have access to (this is not necessarily a problem by itself,
+but we may then act on the cloned contents in a way that
+exposes them to the attacker).
+
+Ideally such a setup would sandbox git entirely away from
+high-value items, but this is not always practical or easy
+to set up (e.g., OS network controls may block multiple
+protocols, and we would want to enable some but not others).
+
+We can help this case by providing a way to restrict
+particular protocols. We use a whitelist in the environment.
+This is more annoying to set up than a blacklist, but
+defaults to safety if the set of protocols git supports
+grows). If no whitelist is specified, we continue to default
+to allowing all protocols (this is an "unsafe" default, but
+since the minority of users will want this sandboxing
+effect, it is the only sensible one).
+
+A note on the tests: ideally these would all be in a single
+test file, but the git-daemon and httpd test infrastructure
+is an all-or-nothing proposition rather than a test-by-test
+prerequisite. By putting them all together, we would be
+unable to test the file-local code on machines without
+apache.
+---
+ Documentation/git.txt | 31 +++++++++++++++++++++++++++++++
+ connect.c             |  5 +++++
+ transport-helper.c    |  2 ++
+ transport.c           | 21 ++++++++++++++++++++-
+ transport.h           |  7 +++++++
+ 5 files changed, 65 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/git.txt b/Documentation/git.txt
+index f4cb5cb..71ba92b 100644
+--- a/Documentation/git.txt
++++ b/Documentation/git.txt
+@@ -1069,6 +1069,37 @@ GIT_ICASE_PATHSPECS::
+ 	an operation has touched every ref (e.g., because you are
+ 	cloning a repository to make a backup).
+ 
++`GIT_ALLOW_PROTOCOL`::
++	If set, provide a colon-separated list of protocols which are
++	allowed to be used with fetch/push/clone. This is useful to
++	restrict recursive submodule initialization from an untrusted
++	repository. Any protocol not mentioned will be disallowed (i.e.,
++	this is a whitelist, not a blacklist). If the variable is not
++	set at all, all protocols are enabled.  The protocol names
++	currently used by git are:
++
++	  - `file`: any local file-based path (including `file://` URLs,
++	    or local paths)
++
++	  - `git`: the anonymous git protocol over a direct TCP
++	    connection (or proxy, if configured)
++
++	  - `ssh`: git over ssh (including `host:path` syntax,
++	    `git+ssh://`, etc).
++
++	  - `rsync`: git over rsync
++
++	  - `http`: git over http, both "smart http" and "dumb http".
++	    Note that this does _not_ include `https`; if you want both,
++	    you should specify both as `http:https`.
++
++	  - any external helpers are named by their protocol (e.g., use
++	    `hg` to allow the `git-remote-hg` helper)
+++
++Note that this controls only git's internal protocol selection.
++If libcurl is used (e.g., by the `http` transport), it may
++redirect to other protocols. There is not currently any way to
++restrict this.
+ 
+ Discussion[[Discussion]]
+ ------------------------
+diff --git a/connect.c b/connect.c
+index c0144d8..27a706f 100644
+--- a/connect.c
++++ b/connect.c
+@@ -9,6 +9,7 @@
+ #include "url.h"
+ #include "string-list.h"
+ #include "sha1-array.h"
++#include "transport.h"
+ 
+ static char *server_capabilities;
+ static const char *parse_feature_value(const char *, const char *, int *);
+@@ -694,6 +695,8 @@ struct child_process *git_connect(int fd[2], const char *url,
+ 		else
+ 			target_host = xstrdup(hostandport);
+ 
++		transport_check_allowed("git");
++
+ 		/* These underlying connection commands die() if they
+ 		 * cannot connect.
+ 		 */
+@@ -727,6 +730,7 @@ struct child_process *git_connect(int fd[2], const char *url,
+ 			int putty, tortoiseplink = 0;
+ 			char *ssh_host = hostandport;
+ 			const char *port = NULL;
++			transport_check_allowed("ssh");
+ 			get_host_and_port(&ssh_host, &port);
+ 
+ 			if (!port)
+@@ -781,6 +785,7 @@ struct child_process *git_connect(int fd[2], const char *url,
+ 			/* remove repo-local variables from the environment */
+ 			conn->env = local_repo_env;
+ 			conn->use_shell = 1;
++			transport_check_allowed("file");
+ 		}
+ 		argv_array_push(&conn->args, cmd.buf);
+ 
+diff --git a/transport-helper.c b/transport-helper.c
+index 5d99a6b..b486441 100644
+--- a/transport-helper.c
++++ b/transport-helper.c
+@@ -1039,6 +1039,8 @@ int transport_helper_init(struct transport *transport, const char *name)
+ 	struct helper_data *data = xcalloc(1, sizeof(*data));
+ 	data->name = name;
+ 
++	transport_check_allowed(name);
++
+ 	if (getenv("GIT_TRANSPORT_HELPER_DEBUG"))
+ 		debug = 1;
+ 
+diff --git a/transport.c b/transport.c
+index 40692f8..ad1ae7f 100644
+--- a/transport.c
++++ b/transport.c
+@@ -912,6 +912,20 @@ static int external_specification_len(const char *url)
+ 	return strchr(url, ':') - url;
+ }
+ 
++void transport_check_allowed(const char *type)
++{
++	struct string_list allowed = STRING_LIST_INIT_DUP;
++	const char *v = getenv("GIT_ALLOW_PROTOCOL");
++
++	if (!v)
++		return;
++
++	string_list_split(&allowed, v, ':', -1);
++	if (!unsorted_string_list_has_string(&allowed, type))
++		die("transport '%s' not allowed", type);
++	string_list_clear(&allowed, 0);
++}
++
+ struct transport *transport_get(struct remote *remote, const char *url)
+ {
+ 	const char *helper;
+@@ -943,12 +957,14 @@ struct transport *transport_get(struct remote *remote, const char *url)
+ 	if (helper) {
+ 		transport_helper_init(ret, helper);
+ 	} else if (starts_with(url, "rsync:")) {
++		transport_check_allowed("rsync");
+ 		ret->get_refs_list = get_refs_via_rsync;
+ 		ret->fetch = fetch_objs_via_rsync;
+ 		ret->push = rsync_transport_push;
+ 		ret->smart_options = NULL;
+ 	} else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
+ 		struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
++		transport_check_allowed("file");
+ 		ret->data = data;
+ 		ret->get_refs_list = get_refs_from_bundle;
+ 		ret->fetch = fetch_refs_from_bundle;
+@@ -960,7 +976,10 @@ struct transport *transport_get(struct remote *remote, const char *url)
+ 		|| starts_with(url, "ssh://")
+ 		|| starts_with(url, "git+ssh://")
+ 		|| starts_with(url, "ssh+git://")) {
+-		/* These are builtin smart transports. */
++		/*
++		 * These are builtin smart transports; "allowed" transports
++		 * will be checked individually in git_connect.
++		 */
+ 		struct git_transport_data *data = xcalloc(1, sizeof(*data));
+ 		ret->data = data;
+ 		ret->set_option = NULL;
+diff --git a/transport.h b/transport.h
+index 18d2cf8..742027f 100644
+--- a/transport.h
++++ b/transport.h
+@@ -133,6 +133,13 @@ struct transport {
+ /* Returns a transport suitable for the url */
+ struct transport *transport_get(struct remote *, const char *);
+ 
++/*
++ * Check whether a transport is allowed by the environment,
++ * and die otherwise. type should generally be the URL scheme,
++ * as described in Documentation/git.txt
++ */
++void transport_check_allowed(const char *type);
++
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */
+-- 
+2.1.0
+

0002-submodule-allow-only-certain-protocols-for-submodule.patch

@@ -0,0 +1,108 @@
+From 772390a8977b0c667aefe0ba4989d4f36f3d1832 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 16 Sep 2015 13:13:12 -0400
+Subject: [PATCH 2/5] submodule: allow only certain protocols for submodule
+ fetches
+
+Some protocols (like git-remote-ext) can execute arbitrary
+code found in the URL. The URLs that submodules use may come
+from arbitrary sources (e.g., .gitmodules files in a remote
+repository). Let's restrict submodules to fetching from a
+known-good subset of protocols.
+
+Note that we apply this restriction to all submodule
+commands, whether the URL comes from .gitmodules or not.
+This is more restrictive than we need to be; for example, in
+the tests we run:
+
+  git submodule add ext::...
+
+which should be trusted, as the URL comes directly from the
+command line provided by the user. But doing it this way is
+simpler, and makes it much less likely that we would miss a
+case. And since such protocols should be an exception
+(especially because nobody who clones from them will be able
+to update the submodules!), it's not likely to inconvenience
+anyone in practice.
+
+Reported-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ git-submodule.sh            |  9 +++++++++
+ t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+ create mode 100755 t/t5815-submodule-protos.sh
+
+diff --git a/git-submodule.sh b/git-submodule.sh
+index 36797c3..78c2740 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -22,6 +22,15 @@ require_work_tree
+ wt_prefix=$(git rev-parse --show-prefix)
+ cd_to_toplevel
+ 
++# Restrict ourselves to a vanilla subset of protocols; the URLs
++# we get are under control of a remote repository, and we do not
++# want them kicking off arbitrary git-remote-* programs.
++#
++# If the user has already specified a set of allowed protocols,
++# we assume they know what they're doing and use that instead.
++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
++export GIT_ALLOW_PROTOCOL
++
+ command=
+ branch=
+ force=
+diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh
+new file mode 100755
+index 0000000..06f55a1
+--- /dev/null
++++ b/t/t5815-submodule-protos.sh
+@@ -0,0 +1,43 @@
++#!/bin/sh
++
++test_description='test protocol whitelisting with submodules'
++. ./test-lib.sh
++. "$TEST_DIRECTORY"/lib-proto-disable.sh
++
++setup_ext_wrapper
++setup_ssh_wrapper
++
++test_expect_success 'setup repository with submodules' '
++	mkdir remote &&
++	git init remote/repo.git &&
++	(cd remote/repo.git && test_commit one) &&
++	# submodule-add should probably trust what we feed it on the cmdline,
++	# but its implementation is overly conservative.
++	GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module &&
++	GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module &&
++	git commit -m "add submodules"
++'
++
++test_expect_success 'clone with recurse-submodules fails' '
++	test_must_fail git clone --recurse-submodules . dst
++'
++
++test_expect_success 'setup individual updates' '
++	rm -rf dst &&
++	git clone . dst &&
++	git -C dst submodule init
++'
++
++test_expect_success 'update of ssh allowed' '
++	git -C dst submodule update ssh-module
++'
++
++test_expect_success 'update of ext not allowed' '
++	test_must_fail git -C dst submodule update ext-module
++'
++
++test_expect_success 'user can override whitelist' '
++	GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module
++'
++
++test_done
+-- 
+2.1.0
+

0003-transport-refactor-protocol-whitelist-code.patch

@@ -0,0 +1,107 @@
+From 92773f7741ead61f9bdbdaf28272cca405da4fd7 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Tue, 22 Sep 2015 18:03:49 -0400
+Subject: [PATCH 3/5] transport: refactor protocol whitelist code
+
+The current callers only want to die when their transport is
+prohibited. But future callers want to query the mechanism
+without dying.
+
+Let's break out a few query functions, and also save the
+results in a static list so we don't have to re-parse for
+each query.
+
+Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ transport.c | 38 ++++++++++++++++++++++++++++++--------
+ transport.h | 15 +++++++++++++--
+ 2 files changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/transport.c b/transport.c
+index ad1ae7f..164a716 100644
+--- a/transport.c
++++ b/transport.c
+@@ -912,18 +912,40 @@ static int external_specification_len(const char *url)
+ 	return strchr(url, ':') - url;
+ }
+ 
+-void transport_check_allowed(const char *type)
++static const struct string_list *protocol_whitelist(void)
+ {
+-	struct string_list allowed = STRING_LIST_INIT_DUP;
+-	const char *v = getenv("GIT_ALLOW_PROTOCOL");
++	static int enabled = -1;
++	static struct string_list allowed = STRING_LIST_INIT_DUP;
++
++	if (enabled < 0) {
++		const char *v = getenv("GIT_ALLOW_PROTOCOL");
++		if (v) {
++			string_list_split(&allowed, v, ':', -1);
++			string_list_sort(&allowed);
++			enabled = 1;
++		} else {
++			enabled = 0;
++		}
++	}
+ 
+-	if (!v)
+-		return;
++	return enabled ? &allowed : NULL;
++}
++
++int is_transport_allowed(const char *type)
++{
++	const struct string_list *allowed = protocol_whitelist();
++	return !allowed || string_list_has_string(allowed, type);
++}
+ 
+-	string_list_split(&allowed, v, ':', -1);
+-	if (!unsorted_string_list_has_string(&allowed, type))
++void transport_check_allowed(const char *type)
++{
++	if (!is_transport_allowed(type))
+ 		die("transport '%s' not allowed", type);
+-	string_list_clear(&allowed, 0);
++}
++
++int transport_restrict_protocols(void)
++{
++	return !!protocol_whitelist();
+ }
+ 
+ struct transport *transport_get(struct remote *remote, const char *url)
+diff --git a/transport.h b/transport.h
+index 742027f..9770777 100644
+--- a/transport.h
++++ b/transport.h
+@@ -134,12 +134,23 @@ struct transport {
+ struct transport *transport_get(struct remote *, const char *);
+ 
+ /*
++ * Check whether a transport is allowed by the environment. Type should
++ * generally be the URL scheme, as described in Documentation/git.txt
++ */
++int is_transport_allowed(const char *type);
++
++/*
+  * Check whether a transport is allowed by the environment,
+- * and die otherwise. type should generally be the URL scheme,
+- * as described in Documentation/git.txt
++ * and die otherwise.
+  */
+ void transport_check_allowed(const char *type);
+ 
++/*
++ * Returns true if the user has attempted to turn on protocol
++ * restrictions at all.
++ */
++int transport_restrict_protocols(void);
++
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */
+-- 
+2.1.0
+

0004-http-limit-redirection-to-protocol-whitelist.patch

@@ -0,0 +1,106 @@
+From b82f2606edf3640e40ca4d4e0091fd15104c765c Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 28 Oct 2015 17:27:58 +0100
+Subject: [PATCH 4/5] http: limit redirection to protocol-whitelist
+
+Previously, libcurl would follow redirection to any protocol
+it was compiled for support with. This is desirable to allow
+redirection from HTTP to HTTPS. However, it would even
+successfully allow redirection from HTTP to SFTP, a protocol
+that git does not otherwise support at all. Furthermore
+git's new protocol-whitelisting could be bypassed by
+following a redirect within the remote helper, as it was
+only enforced at transport selection time.
+
+This patch limits redirects within libcurl to HTTP, HTTPS,
+FTP and FTPS. If there is a protocol-whitelist present, this
+list is limited to those also allowed by the whitelist. As
+redirection happens from within libcurl, it is impossible
+for an HTTP redirect to a protocol implemented within
+another remote helper.
+
+When the curl version git was compiled with is too old to
+support restrictions on protocol redirection, we warn the
+user if GIT_ALLOW_PROTOCOL restrictions were requested. This
+is a little inaccurate, as even without that variable in the
+environment, we would still restrict SFTP, etc, and we do
+not warn in that case. But anything else means we would
+literally warn every time git accesses an http remote.
+
+This commit includes a test, but it is not as robust as we
+would hope. It redirects an http request to ftp, and checks
+that curl complained about the protocol, which means that we
+are relying on curl's specific error message to know what
+happened. Ideally we would redirect to a working ftp server
+and confirm that we can clone without protocol restrictions,
+and not with them. But we do not have a portable way of
+providing an ftp server, nor any other protocol that curl
+supports (https is the closest, but we would have to deal
+with certificates).
+---
+ Documentation/git.txt |  6 +-----
+ http.c                | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/git.txt b/Documentation/git.txt
+index 71ba92b..d65e6bf 100644
+--- a/Documentation/git.txt
++++ b/Documentation/git.txt
+@@ -1095,11 +1095,7 @@ GIT_ICASE_PATHSPECS::
+ 
+ 	  - any external helpers are named by their protocol (e.g., use
+ 	    `hg` to allow the `git-remote-hg` helper)
+-+
+-Note that this controls only git's internal protocol selection.
+-If libcurl is used (e.g., by the `http` transport), it may
+-redirect to other protocols. There is not currently any way to
+-restrict this.
++
+ 
+ Discussion[[Discussion]]
+ ------------------------
+diff --git a/http.c b/http.c
+index e9c6fdd..8a71f9e 100644
+--- a/http.c
++++ b/http.c
+@@ -9,6 +9,7 @@
+ #include "version.h"
+ #include "pkt-line.h"
+ #include "gettext.h"
++#include "transport.h"
+ 
+ int active_requests;
+ int http_is_verbose;
+@@ -340,6 +341,7 @@ static void set_curl_keepalive(CURL *c)
+ static CURL *get_curl_handle(void)
+ {
+ 	CURL *result = curl_easy_init();
++	long allowed_protocols = 0;
+ 
+ 	if (!result)
+ 		die("curl_easy_init failed");
+@@ -399,6 +401,21 @@ static CURL *get_curl_handle(void)
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+ 	curl_easy_setopt(result, CURLOPT_POST301, 1);
+ #endif
++#if LIBCURL_VERSION_NUM >= 0x071304
++	if (is_transport_allowed("http"))
++		allowed_protocols |= CURLPROTO_HTTP;
++	if (is_transport_allowed("https"))
++		allowed_protocols |= CURLPROTO_HTTPS;
++	if (is_transport_allowed("ftp"))
++		allowed_protocols |= CURLPROTO_FTP;
++	if (is_transport_allowed("ftps"))
++		allowed_protocols |= CURLPROTO_FTPS;
++	curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
++#else
++	if (transport_restrict_protocols())
++		warning("protocol restrictions not applied to curl redirects because\n"
++			"your curl version is too old (>= 7.19.4)");
++#endif
+ 
+ 	if (getenv("GIT_CURL_VERBOSE"))
+ 		curl_easy_setopt(result, CURLOPT_VERBOSE, 1);
+-- 
+2.1.0
+

0005-http-limit-redirection-depth.patch

@@ -0,0 +1,31 @@
+From 653f7dc379a20d79728e6e77a07a718d9475e4c0 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 28 Oct 2015 17:30:24 +0100
+Subject: [PATCH 5/5] http: limit redirection depth
+
+By default, libcurl will follow circular http redirects
+forever. Let's put a cap on this so that somebody who can
+trigger an automated fetch of an arbitrary repository (e.g.,
+for CI) cannot convince git to loop infinitely.
+
+The value chosen is 20, which is the same default that
+Firefox uses.
+---
+ http.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/http.c b/http.c
+index 8a71f9e..45348fb 100644
+--- a/http.c
++++ b/http.c
+@@ -396,6 +396,7 @@ static CURL *get_curl_handle(void)
+ 	}
+ 
+ 	curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1);
++	curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20);
+ #if LIBCURL_VERSION_NUM >= 0x071301
+ 	curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL);
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+-- 
+2.1.0
+

git-2.4.3-stash-revert.patch

@@ -0,0 +1,74 @@
+commit 19376104a8251a7e6c56579cdcd2eb0a106d1fd6
+Author: Jeff King <peff@peff.net>
+Date:   Mon Jun 15 14:27:22 2015 -0400
+
+    Revert "stash: require a clean index to apply"
+    
+    This reverts commit ed178ef13a26136d86ff4e33bb7b1afb5033f908.
+    
+    That commit was an attempt to improve the safety of applying
+    a stash, because the application process may create
+    conflicted index entries, after which it is hard to restore
+    the original index state.
+    
+    Unfortunately, this hurts some common workflows around "git
+    stash -k", like:
+    
+        git add -p       ;# (1) stage set of proposed changes
+        git stash -k     ;# (2) get rid of everything else
+        make test        ;# (3) make sure proposal is reasonable
+        git stash apply  ;# (4) restore original working tree
+    
+    If you "git commit" between steps (3) and (4), then this
+    just works. However, if these steps are part of a pre-commit
+    hook, you don't have that opportunity (you have to restore
+    the original state regardless of whether the tests passed or
+    failed).
+    
+    It's possible that we could provide better tools for this
+    sort of workflow. In particular, even before ed178ef, it
+    could fail with a conflict if there were conflicting hunks
+    in the working tree and index (since the "stash -k" puts the
+    index version into the working tree, and we then attempt to
+    apply the differences between HEAD and the old working tree
+    on top of that). But the fact remains that people have been
+    using it happily for a while, and the safety provided by
+    ed178ef is simply not that great. Let's revert it for now.
+    In the long run, people can work on improving stash for this
+    sort of workflow, but the safety tradeoff is not worth it in
+    the meantime.
+    
+    Signed-off-by: Jeff King <peff@peff.net>
+    Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+diff --git a/git-stash.sh b/git-stash.sh
+index cc28368..d4cf818 100755
+--- a/git-stash.sh
++++ b/git-stash.sh
+@@ -442,8 +442,6 @@ apply_stash () {
+ 	assert_stash_like "$@"
+ 
+ 	git update-index -q --refresh || die "$(gettext "unable to refresh index")"
+-	git diff-index --cached --quiet --ignore-submodules HEAD -- ||
+-		die "$(gettext "Cannot apply stash: Your index contains uncommitted changes.")"
+ 
+ 	# current index state
+ 	c_tree=$(git write-tree) ||
+diff --git a/t/t3903-stash.sh b/t/t3903-stash.sh
+index 0746eee..f179c93 100755
+--- a/t/t3903-stash.sh
++++ b/t/t3903-stash.sh
+@@ -45,13 +45,6 @@ test_expect_success 'applying bogus stash does nothing' '
+ 	test_cmp expect file
+ '
+ 
+-test_expect_success 'apply requires a clean index' '
+-	test_when_finished "git reset --hard" &&
+-	echo changed >other-file &&
+-	git add other-file &&
+-	test_must_fail git stash apply
+-'
+-
+ test_expect_success 'apply does not need clean working directory' '
+ 	echo 4 >other-file &&
+ 	git stash apply &&

git-infinite-loop.patch

@@ -0,0 +1,39 @@
+diff --git a/refs.c b/refs.c
+index 67d6745..ddb9a77 100644
+--- a/refs.c
++++ b/refs.c
+@@ -1422,6 +1422,7 @@ static struct ref_dir *get_loose_refs(struct ref_cache *refs)
+ /* We allow "recursive" symbolic refs. Only within reason, though */
+ #define MAXDEPTH 5
+ #define MAXREFLEN (1024)
++#define MAXRETRIES 5
+ 
+ /*
+  * Called by resolve_gitlink_ref_recursive() after it failed to read
+@@ -1576,6 +1577,7 @@ const char *resolve_ref_unsafe(const char *refname, int resolve_flags, unsigned
+ 		struct stat st;
+ 		char *buf;
+ 		int fd;
++		int retries = 0;
+ 
+ 		if (--depth < 0) {
+ 			errno = ELOOP;
+@@ -1612,7 +1614,8 @@ const char *resolve_ref_unsafe(const char *refname, int resolve_flags, unsigned
+ 		if (S_ISLNK(st.st_mode)) {
+ 			len = readlink(path, buffer, sizeof(buffer)-1);
+ 			if (len < 0) {
+-				if (errno == ENOENT || errno == EINVAL)
++				if ((errno == ENOENT || errno == EINVAL) &&
++					retries++ < MAXRETRIES)
+ 					/* inconsistent with lstat; retry */
+ 					goto stat_ref;
+ 				else
+@@ -1645,7 +1648,7 @@ const char *resolve_ref_unsafe(const char *refname, int resolve_flags, unsigned
+ 		 */
+ 		fd = open(path, O_RDONLY);
+ 		if (fd < 0) {
+-			if (errno == ENOENT)
++			if (errno == ENOENT && retries++ < MAXRETRIES)
+ 				/* inconsistent with lstat; retry */
+ 				goto stat_ref;
+ 			else

git.spec

@@ -43,7 +43,7 @@
 %endif
 
 Name:           git
-Version:        2.4.3
+Version:        2.4.11
 Release:        1%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -64,6 +64,7 @@ Patch0:         git-1.8-gitweb-home-link.patch
 Patch1:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
 # https://bugzilla.redhat.com/600411
 Patch3:         git-1.7-el5-emacs-support.patch
+Patch4:         git-infinite-loop.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -88,17 +89,18 @@ BuildRequires:  pkgconfig(bash-completion)
 BuildRequires:  systemd
 %endif
 
-Requires:       git-core = %{version}-%{release}
 Requires:       perl(Error)
 %if ! %{defined perl_bootstrap}
 Requires:       perl(Term::ReadKey)
 %endif
 Requires:       perl-Git = %{version}-%{release}
+Requires:       less
+Requires:       openssh-clients
+Requires:       rsync
+Requires:       zlib >= 1.2
 
-#Provides:       git-core = %{version}-%{release}
-#%if 0%{?rhel} && 0%{?rhel} <= 5
-#Obsoletes:      git-core <= 1.5.4.3
-#%endif
+Provides:       git-core = %{version}-%{release}
+Obsoletes:      git-core <= 2.4.3
 
 # Obsolete git-arch
 Obsoletes:      git-arch < %{version}-%{release}
@@ -108,9 +110,9 @@ Git is a fast, scalable, distributed revision control system with an
 unusually rich command set that provides both high-level operations
 and full access to internals.
 
-The git rpm installs common set of tools which are usually using with
-small amount of dependencies. To install all git packages, including
-tools for integrating with other SCMs, install the git-all meta-package.
+The git rpm installs the core tools with minimal dependencies.  To
+install all git packages, including tools for integrating with other
+SCMs, install the git-all meta-package.
 
 %package all
 Summary:        Meta-package to pull in all git tools
@@ -139,23 +141,6 @@ and full access to internals.
 
 This is a dummy package which brings in all subpackages.
 
-%package core
-Summary:        Core package of git with minimal funcionality
-Group:          Development/Tools
-Requires:       less
-Requires:       openssh-clients
-Requires:       rsync
-Requires:       zlib >= 1.2
-%description core
-Git is a fast, scalable, distributed revision control system with an
-unusually rich command set that provides both high-level operations
-and full access to internals.
-
-The git-core rpm installs really the core tools with minimal
-dependencies. Install git package for common set of tools.
-To install all git packages, including tools for integrating with
-other SCMs, install the git-all meta-package.
-
 %package daemon
 Summary:        Git protocol dæmon
 Group:          Development/Tools
@@ -197,6 +182,7 @@ Requires:       git = %{version}-%{release}
 Summary:        Git tools for importing Subversion repositories
 Group:          Development/Tools
 Requires:       git = %{version}-%{release}, subversion
+Requires:       perl-Digest-MD5
 %if ! %{defined perl_bootstrap}
 Requires:       perl(Term::ReadKey)
 %endif
@@ -306,6 +292,7 @@ Requires:       emacs-git = %{version}-%{release}
 %if %{emacs_old}
 %patch3 -p1
 %endif
+%patch4 -p1
 
 %if %{use_prebuilt_docs}
 mkdir -p prebuilt_docs/{html,man}
@@ -505,11 +492,6 @@ rm -f {Documentation/technical,contrib/emacs,contrib/credential/gnome-keyring}/.
 chmod a-x Documentation/technical/api-index.sh
 find contrib -type f | xargs chmod -x
 
-# Split core files
-not_core_re="git-(add--interactive|am|difftool|instaweb|relink|request-pull|send-mail|submodule)|gitweb|prepare-commit-msg|pre-rebase"
-grep -vE "$not_core_re" bin-man-doc-files > bin-man-doc-files-core
-sed -ir "/$not_core_re/ d" bin-man-doc-files
-
 
 %clean
 rm -rf %{buildroot}
@@ -527,13 +509,6 @@ rm -rf %{buildroot}
 
 %files -f bin-man-doc-files
 %defattr(-,root,root)
-%{_datadir}/git-core/*
-%doc Documentation/*.txt
-%{!?_without_docs: %doc Documentation/*.html}
-#%{!?_without_docs: %doc Documentation/howto/* Documentation/technical/*}
-
-%files core -f bin-man-doc-files-core
-%defattr(-,root,root)
 %{_datadir}/git-core/
 %doc README COPYING Documentation/*.txt Documentation/RelNotes contrib/
 %{!?_without_docs: %doc Documentation/*.html Documentation/docbook-xsl.css}
@@ -636,13 +611,42 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
+* Fri Mar 18 2016 David Woodhouse <dwmw2@infradead.org> - 2.4.11-1
+- Update to 2.4.11 (for CVE-2016-2315, CVE-2016-2324)
+  Resolves: #1318220
+
+* Wed Oct 28 2015 Petr Stodulka <pstodulk@redhat.com> - 2.4.3-7
+- fix arbitrary code execution via crafted URLs
+  Resolves: #1269797
+
+* Mon Jun 22 2015  Petr Stodulka <pstodulk@redhat.com> - 2.4.3-6
+- fix #1242034 - "git stash save -k" followed by "git stash apply" fails
+  used upstream solution from git-2.4.6 (revert relevant commit)
+
+* Mon Jun 22 2015  Petr Stodulka <pstodulk@redhat.com> - 2.4.3-5
+- apply git-infinite-loop.patch
+
+* Mon Jun 22 2015  Petr Stodulka <pstodulk@redhat.com> - 2.4.3-4
+- git-svn - added requires for perl-Digest-MD5 (#1218176)
+- solve troubles with infinite loop due to broken symlink (probably
+  shouldn't be problem here, but it's reproducible manually)
+  (#1204193)
+
+* Mon Jun 15 2015 Petr Stodulka <pstodulk@redhat.com> - 2.4.3-3
+- fix git-core obsoletes
+
+* Mon Jun 15 2015 Petr Stodulka <pstodulk@redhat.com> - 2.4.3-2
+- remove subpackage git-core which was accidentally brought
+  to f22 branch - may fast-forward - which is planned
+  for Fedora 23+ (#1231736)
+
 * Sat Jun 06 2015 Jon Ciesla <limburgher@gmail.com> - 2.4.3-1
 - Update to 2.4.3.
 
 * Fri Jun 05 2015 Jitka Plesnikova <jplesnik@redhat.com>
 - Perl 5.22 rebuild
 
-% Wed Jun 03 2015 Petr Stodulka <pstodulk@redhat.com> - 2.4.2-2
+* Wed Jun 03 2015 Petr Stodulka <pstodulk@redhat.com> - 2.4.2-2
 - split create subpackage git-core (perl-less) from git package
 - git package requires git-core and it has same tool set as
   before

sources

@@ -1,3 +1,3 @@
-bde9fc7aa40560fe3b1c8b9c6d170db0  git-2.4.3.tar.gz
-6c331604b078a86739c5e86e25c03e8a  git-htmldocs-2.4.3.tar.gz
-a023736d2b193d9d0f206881eba07b05  git-manpages-2.4.3.tar.gz
+ea905da8fc9b17451a8c9f7c65f6ab21  git-2.4.11.tar.gz
+e102c2e0330ab693f4717c253a5ddf24  git-htmldocs-2.4.11.tar.gz
+92dae70bfaf30e6a86cf0c58a10cf930  git-manpages-2.4.11.tar.gz