Update to 2.14.5 (CVE-2018-17456)

From the upstream release announcement:

  These releases fix a security flaw (CVE-2018-17456), which allowed an
  attacker to execute arbitrary code by crafting a malicious .gitmodules
  file in a project cloned with --recurse-submodules.

  When running "git clone --recurse-submodules", Git parses the supplied
  .gitmodules file for a URL field and blindly passes it as an argument
  to a "git clone" subprocess.  If the URL field is set to a string that
  begins with a dash, this "git clone" subprocess interprets the URL as
  an option.  This can lead to executing an arbitrary script shipped in
  the superproject as the user who ran "git clone".

  In addition to fixing the security issue for the user running "clone",
  the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
  be used to detect such malicious repository content when fetching or
  accepting a push. See "transfer.fsckObjects" in git-config(1).

  Credit for finding and fixing this vulnerability goes to joernchen
  and Jeff King, respectively.

References:
https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/

0001-git-svn-control-destruction-order-to-avoid-segfault.patch

@@ -0,0 +1,40 @@
+From 7f6f75e97acd25f8e95ce431e16d2e1c2093845d Mon Sep 17 00:00:00 2001
+From: Eric Wong <e@80x24.org>
+Date: Mon, 29 Jan 2018 23:11:07 +0000
+Subject: [PATCH] git-svn: control destruction order to avoid segfault
+
+It seems necessary to control destruction ordering to avoid a
+segfault with SVN 1.9.5 when using "git svn branch".  I've also
+reported the problem against libsvn-perl to Debian [Bug #888791],
+but releasing the SVN::Client instance can be beneficial anyways to
+save memory.
+
+ref: https://bugs.debian.org/888791
+Tested-by: Todd Zullinger <tmz@pobox.com>
+Reported-by: brian m. carlson <sandals@crustytoothpaste.net>
+Signed-off-by: Eric Wong <e@80x24.org>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ git-svn.perl | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/git-svn.perl b/git-svn.perl
+index aa242d4f4f..b012980246 100755
+--- a/git-svn.perl
++++ b/git-svn.perl
+@@ -1199,6 +1199,11 @@ sub cmd_branch {
+ 	$ctx->copy($src, $rev, $dst)
+ 		unless $_dry_run;
+ 
++	# Release resources held by ctx before creating another SVN::Ra
++	# so destruction is orderly.  This seems necessary with SVN 1.9.5
++	# to avoid segfaults.
++	$ctx = undef;
++
+ 	$gs->fetch_all;
+ }
+ 
+-- 
+2.16.1
+

0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch

@@ -0,0 +1,72 @@
+From b03b51f889272622a3859a3765f1e7d1175b2346 Mon Sep 17 00:00:00 2001
+From: Elijah Newren <newren@gmail.com>
+Date: Wed, 23 May 2018 23:27:33 -0700
+Subject: [PATCH] rev-parse: check lookup'ed commit references for NULL
+
+Commits 2122f8b963d4 ("rev-parse: Add support for the ^! and ^@ syntax",
+2008-07-26) and 3dd4e7320d ("Teach rev-parse the ... syntax.", 2006-07-04)
+taught rev-parse new syntax, and used lookup_commit_reference() as part of
+their logic.  Neither usage checked the returned commit to see if it was
+non-NULL before using it.  Check for NULL and ensure an appropriate error
+is reported to the user.
+
+Reported by Florian Weimer and Todd Zullinger.
+
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Elijah Newren <newren@gmail.com>
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ builtin/rev-parse.c          | 8 ++++++--
+ t/t6101-rev-parse-parents.sh | 8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/builtin/rev-parse.c b/builtin/rev-parse.c
+index 7f965fe74e..fd8e52c7b7 100644
+--- a/builtin/rev-parse.c
++++ b/builtin/rev-parse.c
+@@ -282,6 +282,10 @@ static int try_difference(const char *arg)
+ 			struct commit *a, *b;
+ 			a = lookup_commit_reference(&oid);
+ 			b = lookup_commit_reference(&end);
++			if (!a || !b) {
++				*dotdot = '.';
++				return 0;
++			}
+ 			exclude = get_merge_bases(a, b);
+ 			while (exclude) {
+ 				struct commit *commit = pop_commit(&exclude);
+@@ -328,12 +332,12 @@ static int try_parent_shorthands(const char *arg)
+ 		return 0;
+ 
+ 	*dotdot = 0;
+-	if (get_sha1_committish(arg, oid.hash)) {
++	if (get_sha1_committish(arg, oid.hash) ||
++	    !(commit = lookup_commit_reference(&oid))) {
+ 		*dotdot = '^';
+ 		return 0;
+ 	}
+ 
+-	commit = lookup_commit_reference(&oid);
+ 	if (exclude_parent &&
+ 	    exclude_parent > commit_list_count(commit->parents)) {
+ 		*dotdot = '^';
+diff --git a/t/t6101-rev-parse-parents.sh b/t/t6101-rev-parse-parents.sh
+index 8c617981a3..7683e4a114 100755
+--- a/t/t6101-rev-parse-parents.sh
++++ b/t/t6101-rev-parse-parents.sh
+@@ -214,4 +214,12 @@ test_expect_success 'rev-list merge^-1x (garbage after ^-1)' '
+ 	test_must_fail git rev-list merge^-1x
+ '
+ 
++test_expect_success 'rev-parse $garbage^@ does not segfault' '
++	test_must_fail git rev-parse $EMPTY_TREE^@
++'
++
++test_expect_success 'rev-parse $garbage...$garbage does not segfault' '
++	test_must_fail git rev-parse $EMPTY_TREE...$EMPTY_BLOB
++'
++
+ test_done
+-- 
+2.17.0
+

0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch

@@ -0,0 +1,129 @@
+From fffa73135ec366040b4570e386736afcd9fc4715 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Fri, 13 Oct 2017 11:27:45 -0400
+Subject: [PATCH] revision: quit pruning diff more quickly when possible
+
+When the revision traversal machinery is given a pathspec,
+we must compute the parent-diff for each commit to determine
+which ones are TREESAME. We set the QUICK diff flag to avoid
+looking at more entries than we need; we really just care
+whether there are any changes at all.
+
+But there is one case where we want to know a bit more: if
+--remove-empty is set, we care about finding cases where the
+change consists only of added entries (in which case we may
+prune the parent in try_to_simplify_commit()). To cover that
+case, our file_add_remove() callback does not quit the diff
+upon seeing an added entry; it keeps looking for other types
+of entries.
+
+But this means when --remove-empty is not set (and it is not
+by default), we compute more of the diff than is necessary.
+You can see this in a pathological case where a commit adds
+a very large number of entries, and we limit based on a
+broad pathspec. E.g.:
+
+  perl -e '
+    chomp(my $blob = `git hash-object -w --stdin </dev/null`);
+    for my $a (1..1000) {
+      for my $b (1..1000) {
+        print "100644 $blob\t$a/$b\n";
+      }
+    }
+  ' | git update-index --index-info
+  git commit -qm add
+
+  git rev-list HEAD -- .
+
+This case takes about 100ms now, but after this patch only
+needs 6ms. That's not a huge improvement, but it's easy to
+get and it protects us against even more pathological cases
+(e.g., going from 1 million to 10 million files would take
+ten times as long with the current code, but not increase at
+all after this patch).
+
+This is reported to minorly speed-up pathspec limiting in
+real world repositories (like the 100-million-file Windows
+repository), but probably won't make a noticeable difference
+outside of pathological setups.
+
+This patch actually covers the case without --remove-empty,
+and the case where we see only deletions. See the in-code
+comment for details.
+
+Note that we have to add a new member to the diff_options
+struct so that our callback can see the value of
+revs->remove_empty_trees. This callback parameter could be
+passed to the "add_remove" and "change" callbacks, but
+there's not much point. They already receive the
+diff_options struct, and doing it this way avoids having to
+update the function signature of the other callbacks
+(arguably the format_callback and output_prefix functions
+could benefit from the same simplification).
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+(cherry picked from commit a937b37e766479c8e780b17cce9c4b252fd97e40)
+---
+ diff.h     |  1 +
+ revision.c | 16 +++++++++++++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/diff.h b/diff.h
+index 2d442e296f..142a2f24f2 100644
+--- a/diff.h
++++ b/diff.h
+@@ -180,6 +180,7 @@ struct diff_options {
+ 	pathchange_fn_t pathchange;
+ 	change_fn_t change;
+ 	add_remove_fn_t add_remove;
++	void *change_fn_data;
+ 	diff_format_fn_t format_callback;
+ 	void *format_callback_data;
+ 	diff_prefix_fn_t output_prefix;
+diff --git a/revision.c b/revision.c
+index 7da0907c85..1770f9ec33 100644
+--- a/revision.c
++++ b/revision.c
+@@ -392,8 +392,16 @@ static struct commit *one_relevant_parent(const struct rev_info *revs,
+  * if the whole diff is removal of old data, and otherwise
+  * REV_TREE_DIFFERENT (of course if the trees are the same we
+  * want REV_TREE_SAME).
+- * That means that once we get to REV_TREE_DIFFERENT, we do not
+- * have to look any further.
++ *
++ * The only time we care about the distinction is when
++ * remove_empty_trees is in effect, in which case we care only about
++ * whether the whole change is REV_TREE_NEW, or if there's another type
++ * of change. Which means we can stop the diff early in either of these
++ * cases:
++ *
++ *   1. We're not using remove_empty_trees at all.
++ *
++ *   2. We saw anything except REV_TREE_NEW.
+  */
+ static int tree_difference = REV_TREE_SAME;
+ 
+@@ -404,9 +412,10 @@ static void file_add_remove(struct diff_options *options,
+ 		    const char *fullpath, unsigned dirty_submodule)
+ {
+ 	int diff = addremove == '+' ? REV_TREE_NEW : REV_TREE_OLD;
++	struct rev_info *revs = options->change_fn_data;
+ 
+ 	tree_difference |= diff;
+-	if (tree_difference == REV_TREE_DIFFERENT)
++	if (!revs->remove_empty_trees || tree_difference != REV_TREE_NEW)
+ 		DIFF_OPT_SET(options, HAS_CHANGES);
+ }
+ 
+@@ -1345,6 +1354,7 @@ void init_revisions(struct rev_info *revs, const char *prefix)
+ 	DIFF_OPT_SET(&revs->pruning, QUICK);
+ 	revs->pruning.add_remove = file_add_remove;
+ 	revs->pruning.change = file_change;
++	revs->pruning.change_fn_data = revs;
+ 	revs->sort_order = REV_SORT_IN_GRAPH_ORDER;
+ 	revs->dense = 1;
+ 	revs->prefix = prefix;
+-- 
+2.15.0
+

git.spec

@@ -44,7 +44,7 @@
 %endif
 
 Name:           git
-Version:        2.14.3
+Version:        2.14.5
 Release:        1%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -76,6 +76,17 @@ Patch0:         git-1.8-gitweb-home-link.patch
 # https://bugzilla.redhat.com/490602
 Patch1:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
 
+# https://bugzilla.redhat.com/1510455 (CVE-2017-15298)
+# https://github.com/git/git/commit/a937b37e76
+Patch2:         0001-revision-quit-pruning-diff-more-quickly-when-possibl.patch
+
+# https://github.com/git/git/commit/7f6f75e97a
+Patch3:         0001-git-svn-control-destruction-order-to-avoid-segfault.patch
+
+# https://bugzilla.redhat.com/1581678
+# https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/
+Patch4:         0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! 0%{?_without_docs}
@@ -346,6 +357,9 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 # Remove git-archimport from command list
 sed -i '/^git-archimport/d' command-list.txt
@@ -408,6 +422,8 @@ make -C contrib/credential/libsecret/
 %endif
 make -C contrib/credential/netrc/
 
+make -C contrib/diff-highlight/
+
 make -C contrib/subtree/
 
 # Remove shebang from bash-completion script
@@ -465,6 +481,11 @@ find %{buildroot} -type f -name perllocal.pod -exec rm -f {} ';'
 # Clean up contrib/credential to avoid cruft in the git-core-doc docdir
 rm -rf contrib/credential
 
+# install contrib/diff-highlight and clean up to avoid cruft in git-core-doc
+install -Dpm 0755 contrib/diff-highlight/diff-highlight \
+    %{buildroot}%{_datadir}/git-core/contrib/diff-highlight
+rm -rf contrib/diff-highlight/{Makefile,diff-highlight,*.perl,t}
+
 # Clean up contrib/subtree to avoid cruft in the git-core-doc docdir
 rm -rf contrib/subtree/{INSTALL,Makefile,git-subtree{,.{1,html,sh,txt,xml}},t}
 
@@ -600,6 +621,7 @@ rm -rf %{buildroot}
 %{elispdir}
 %{_emacs_sitestartdir}/git-init.el
 %endif
+%{_datadir}/git-core/contrib/diff-highlight
 %{_datadir}/git-core/contrib/hooks/update-paranoid
 %{_datadir}/git-core/contrib/hooks/setgitperms.perl
 
@@ -609,7 +631,8 @@ rm -rf %{buildroot}
 #      be used elsewhere
 %{!?_licensedir:%global license %doc}
 %license COPYING
-# exlude is best way here because of troubels with symlinks inside git-core/
+# exclude is best way here because of troubles with symlinks inside git-core/
+%exclude %{_datadir}/git-core/contrib/diff-highlight
 %exclude %{_datadir}/git-core/contrib/hooks/update-paranoid
 %exclude %{_datadir}/git-core/contrib/hooks/setgitperms.perl
 %{bashcomproot}
@@ -730,6 +753,23 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
+* Fri Oct 05 2018 Todd Zullinger <tmz@pobox.com> - 2.14.5-1
+- Update to 2.14.5 (CVE-2018-17456)
+
+* Tue May 29 2018 Todd Zullinger <tmz@pobox.com> - 2.14.4-1
+- Update to 2.14.4 (CVE-2018-11233, CVE-2018-11235)
+
+* Thu May 24 2018 Todd Zullinger <tmz@pobox.com> - 2.14.3-4
+- Fix segfault in rev-parse with invalid input (#1581678)
+- Install contrib/diff-highlight (#1550251)
+
+* Fri Feb 16 2018 Todd Zullinger <tmz@pobox.com> - 2.14.3-3
+- git-svn: avoid segfaults in 'git svn branch'
+
+* Tue Nov 07 2017 Todd Zullinger <tmz@pobox.com> - 2.14.3-2
+- Fix git-clone memory exhaustion (CVE-2017-15298)
+  Resolves: #1510455, #1510457
+
 * Mon Oct 23 2017 Todd Zullinger <tmz@pobox.com> - 2.14.3-1
 - Update to 2.14.3
 

sources

@@ -1,2 +1,2 @@
-SHA512 (git-2.14.3.tar.xz) = e32e9ff904cbc2a77d78ca08953e3b69ac527c333a898dd053806e3d7e684ad4ae153ae7663b7ff9c16e2414c3189878a2e6c95fe9320b4af6cb1e7fa5102643
-SHA512 (git-2.14.3.tar.sign) = e0b6ab097cb12202fe033fd898a9063b78ac9f650161e24ef059057b3606100d8a847b2b48c7a07ab79af5d46f2ed0193af3d1f6da723851752ba1383d2c483d
+SHA512 (git-2.14.5.tar.xz) = cd87ed857e0340cb95e7fd8adb19adc1fa51c80134be3b08fc5fb8846f5ef88bacf322d3a576ae35e5df9febfee7d8b337c48a4af7b6c98bcf30c8ce1cfc5308
+SHA512 (git-2.14.5.tar.sign) = 7df316948726f49443c141c8576a2f50f1909cf60d151952d0b1c29ccf1c9490ccdc004aa6c814319712ee7e8b7215846c8fe4a6752bf0a5accf8e8bfd2c5e44