apply upstream run-command PATH fix (CVE-2018-19486)

References:
321fd82389

0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch

@@ -0,0 +1,99 @@
+From 5be233541a4fc2e395087fe51a30a3664165e8bc Mon Sep 17 00:00:00 2001
+From: Phillip Wood <phillip.wood@dunelm.org.uk>
+Date: Fri, 1 Jun 2018 18:46:44 +0100
+Subject: [PATCH] add -p: fix counting empty context lines in edited patches
+
+recount_edited_hunk() introduced in commit 2b8ea7f3c7 ("add -p:
+calculate offset delta for edited patches", 2018-03-05) required all
+context lines to start with a space, empty lines are not counted. This
+was intended to avoid any recounting problems if the user had
+introduced empty lines at the end when editing the patch. However this
+introduced a regression into 'git add -p' as it seems it is common for
+editors to strip the trailing whitespace from empty context lines when
+patches are edited thereby introducing empty lines that should be
+counted. 'git apply' knows how to deal with such empty lines and POSIX
+states that whether or not there is an space on an empty context line
+is implementation defined [1].
+
+Fix the regression by counting lines consist solely of a newline as
+well as lines starting with a space as context lines and add a test to
+prevent future regressions.
+
+[1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/diff.html
+
+Reported-by: Mahmoud Al-Qudsi <mqudsi@neosmart.net>
+Reported-by: Oliver Joseph Ash <oliverjash@gmail.com>
+Reported-by: Jeff Felchner <jfelchner1@gmail.com>
+Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
+---
+ git-add--interactive.perl  |  2 +-
+ t/t3701-add-interactive.sh | 43 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/git-add--interactive.perl b/git-add--interactive.perl
+index c1f52e457f..befbe8c749 100755
+--- a/git-add--interactive.perl
++++ b/git-add--interactive.perl
+@@ -1055,7 +1055,7 @@ sub recount_edited_hunk {
+ 			$o_cnt++;
+ 		} elsif ($mode eq '+') {
+ 			$n_cnt++;
+-		} elsif ($mode eq ' ') {
++		} elsif ($mode eq ' ' or $_ eq "\n") {
+ 			$o_cnt++;
+ 			$n_cnt++;
+ 		}
+diff --git a/t/t3701-add-interactive.sh b/t/t3701-add-interactive.sh
+index b170fb02b8..3e9139dca8 100755
+--- a/t/t3701-add-interactive.sh
++++ b/t/t3701-add-interactive.sh
+@@ -175,6 +175,49 @@ test_expect_success 'real edit works' '
+ 	diff_cmp expected output
+ '
+ 
++test_expect_success 'setup file' '
++	test_write_lines a "" b "" c >file &&
++	git add file &&
++	test_write_lines a "" d "" c >file
++'
++
++test_expect_success 'setup patch' '
++	SP=" " &&
++	NULL="" &&
++	cat >patch <<-EOF
++	@@ -1,4 +1,4 @@
++	 a
++	$NULL
++	-b
++	+f
++	$SP
++	c
++	EOF
++'
++
++test_expect_success 'setup expected' '
++	cat >expected <<-EOF
++	diff --git a/file b/file
++	index b5dd6c9..f910ae9 100644
++	--- a/file
++	+++ b/file
++	@@ -1,5 +1,5 @@
++	 a
++	$SP
++	-f
++	+d
++	$SP
++	 c
++	EOF
++'
++
++test_expect_success 'edit can strip spaces from empty context lines' '
++	test_write_lines e n q | git add -p 2>error &&
++	test_must_be_empty error &&
++	git diff >output &&
++	diff_cmp expected output
++'
++
+ test_expect_success 'skip files similarly as commit -a' '
+ 	git reset &&
+ 	echo file >.gitignore &&

0001-packfile-Correct-zlib-buffer-handling.patch

@@ -1,50 +0,0 @@
-From 0255347aed203301302e3f8e39fa87349e178019 Mon Sep 17 00:00:00 2001
-From: Jeremy Linton <lintonrjeremy@gmail.com>
-Date: Fri, 25 May 2018 17:56:01 -0500
-Subject: [PATCH] packfile: Correct zlib buffer handling
-
-The buffer being passed to zlib includes a null terminator that
-git needs to keep in place. unpack_compressed_entry() attempts to
-detect the case that the source buffer hasn't been fully consumed
-by checking to see if the destination buffer has been over consumed.
-
-This yields two problems, first a single byte overrun won't be detected
-properly because the Z_STREAM_END will then be set, but the null
-terminator will have been overwritten. The other problem is that
-more recent zlib patches have been poisoning the unconsumed portions
-of the buffers which also overwrites the null, while correctly
-returning length and status.
-
-Lets rely on the fact that the source buffer will only be fully
-consumed when the when the destination buffer is inflated to the
-correct size. We can do this by passing zlib the correct buffer size
-and properly checking the return status. The latter check actually
-already exists if the buffer size is correct.
-
-Signed-off-by: Jeremy Linton <lintonrjeremy@gmail.com>
----
- packfile.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/packfile.c b/packfile.c
-index 7c1a2519fc..245eb32041 100644
---- a/packfile.c
-+++ b/packfile.c
-@@ -1416,7 +1416,7 @@ static void *unpack_compressed_entry(struct packed_git *p,
- 		return NULL;
- 	memset(&stream, 0, sizeof(stream));
- 	stream.next_out = buffer;
--	stream.avail_out = size + 1;
-+	stream.avail_out = size;
- 
- 	git_inflate_init(&stream);
- 	do {
-@@ -1424,7 +1424,7 @@ static void *unpack_compressed_entry(struct packed_git *p,
- 		stream.next_in = in;
- 		st = git_inflate(&stream, Z_FINISH);
- 		if (!stream.avail_out)
--			break; /* the payload is larger than it should be */
-+			break; /* done, st indicates if source fully consumed */
- 		curpos += stream.next_in - in;
- 	} while (st == Z_OK || st == Z_BUF_ERROR);
- 	git_inflate_end(&stream);

0001-packfile-correct-zlib-buffer-handling.patch

@@ -0,0 +1,38 @@
+From b611396e97cba09c7e1cf900190cf1a9e922546e Mon Sep 17 00:00:00 2001
+From: Jeremy Linton <lintonrjeremy@gmail.com>
+Date: Wed, 13 Jun 2018 09:22:07 -0500
+Subject: [PATCH] packfile: correct zlib buffer handling
+
+The buffer being passed to zlib includes a NUL terminator that git
+needs to keep in place. unpack_compressed_entry() attempts to detect
+the case that the source buffer hasn't been fully consumed by
+checking to see if the destination buffer has been over consumed.
+
+This causes a problem, that more recent zlib patches have been
+poisoning the unconsumed portions of the buffer which overwrites
+the NUL byte, while correctly returning length and status.
+
+Let's place the NUL at the end of the buffer after inflate returns
+to assure that it doesn't result in problems for git even if its
+been overwritten by zlib.
+
+Signed-off-by: Jeremy Linton <lintonrjeremy@gmail.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ packfile.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/packfile.c b/packfile.c
+index 4a5fe7ab18838..d55569921793e 100644
+--- a/packfile.c
++++ b/packfile.c
+@@ -1422,6 +1422,9 @@ static void *unpack_compressed_entry(struct packed_git *p,
+ 		return NULL;
+ 	}
+ 
++	/* versions of zlib can clobber unconsumed portion of outbuf */
++	buffer[size] = '\0';
++
+ 	return buffer;
+ }
+ 

0001-run-command-mark-path-lookup-errors-with-ENOENT.patch

@@ -0,0 +1,132 @@
+From 321fd82389742398d2924640ce3a61791fd27d60 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 24 Oct 2018 03:38:00 -0400
+Subject: [PATCH] run-command: mark path lookup errors with ENOENT
+
+Since commit e3a434468f (run-command: use the
+async-signal-safe execv instead of execvp, 2017-04-19),
+prepare_cmd() does its own PATH lookup for any commands we
+run (on non-Windows platforms).
+
+However, its logic does not match the old execvp call when
+we fail to find a matching entry in the PATH. Instead of
+feeding the name directly to execv, execvp would consider
+that an ENOENT error. By continuing and passing the name
+directly to execv, we effectively behave as if "." was
+included at the end of the PATH. This can have confusing and
+even dangerous results.
+
+The fix itself is pretty straight-forward. There's a new
+test in t0061 to cover this explicitly, and I've also added
+a duplicate of the ENOENT test to ensure that we return the
+correct errno for this case.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ run-command.c          | 21 +++++++++++++++++----
+ t/t0061-run-command.sh | 13 ++++++++++++-
+ 2 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/run-command.c b/run-command.c
+index 014b2165b5a2f..8d42a4f534f7a 100644
+--- a/run-command.c
++++ b/run-command.c
+@@ -378,7 +378,7 @@ static void child_err_spew(struct child_process *cmd, struct child_err *cerr)
+ 	set_error_routine(old_errfn);
+ }
+ 
+-static void prepare_cmd(struct argv_array *out, const struct child_process *cmd)
++static int prepare_cmd(struct argv_array *out, const struct child_process *cmd)
+ {
+ 	if (!cmd->argv[0])
+ 		die("BUG: command is empty");
+@@ -401,16 +401,22 @@ static void prepare_cmd(struct argv_array *out, const struct child_process *cmd)
+ 	/*
+ 	 * If there are no '/' characters in the command then perform a path
+ 	 * lookup and use the resolved path as the command to exec.  If there
+-	 * are no '/' characters or if the command wasn't found in the path,
+-	 * have exec attempt to invoke the command directly.
++	 * are '/' characters, we have exec attempt to invoke the command
++	 * directly.
+ 	 */
+ 	if (!strchr(out->argv[1], '/')) {
+ 		char *program = locate_in_PATH(out->argv[1]);
+ 		if (program) {
+ 			free((char *)out->argv[1]);
+ 			out->argv[1] = program;
++		} else {
++			argv_array_clear(out);
++			errno = ENOENT;
++			return -1;
+ 		}
+ 	}
++
++	return 0;
+ }
+ 
+ static char **prep_childenv(const char *const *deltaenv)
+@@ -635,6 +641,12 @@ int start_command(struct child_process *cmd)
+ 	struct child_err cerr;
+ 	struct atfork_state as;
+ 
++	if (prepare_cmd(&argv, cmd) < 0) {
++		failed_errno = errno;
++		cmd->pid = -1;
++		goto end_of_spawn;
++	}
++
+ 	if (pipe(notify_pipe))
+ 		notify_pipe[0] = notify_pipe[1] = -1;
+ 
+@@ -645,7 +657,6 @@ int start_command(struct child_process *cmd)
+ 		set_cloexec(null_fd);
+ 	}
+ 
+-	prepare_cmd(&argv, cmd);
+ 	childenv = prep_childenv(cmd->env);
+ 	atfork_prepare(&as);
+ 
+@@ -773,6 +784,8 @@ int start_command(struct child_process *cmd)
+ 	argv_array_clear(&argv);
+ 	free(childenv);
+ }
++end_of_spawn:
++
+ #else
+ {
+ 	int fhin = 0, fhout = 1, fherr = 2;
+diff --git a/t/t0061-run-command.sh b/t/t0061-run-command.sh
+index e4739170aa2b7..0303ddbb6440f 100755
+--- a/t/t0061-run-command.sh
++++ b/t/t0061-run-command.sh
+@@ -13,10 +13,14 @@ cat >hello-script <<-EOF
+ EOF
+ >empty
+ 
+-test_expect_success 'start_command reports ENOENT' '
++test_expect_success 'start_command reports ENOENT (slash)' '
+ 	test-run-command start-command-ENOENT ./does-not-exist
+ '
+ 
++test_expect_success 'start_command reports ENOENT (no slash)' '
++	test-run-command start-command-ENOENT does-not-exist
++'
++
+ test_expect_success 'run_command can run a command' '
+ 	cat hello-script >hello.sh &&
+ 	chmod +x hello.sh &&
+@@ -26,6 +30,13 @@ test_expect_success 'run_command can run a command' '
+ 	test_cmp empty err
+ '
+ 
++test_expect_success 'run_command is restricted to PATH' '
++	write_script should-not-run <<-\EOF &&
++	echo yikes
++	EOF
++	test_must_fail test-run-command run-command should-not-run
++'
++
+ test_expect_success !MINGW 'run_command can run a script without a #! line' '
+ 	cat >hello <<-\EOF &&
+ 	cat hello-script

git.rpmlintrc

@@ -4,9 +4,6 @@ from Config import *
 addFilter("git.* spelling-error %description .* subpackages")
 addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject|subtree)")
 
-# We're not misusing %{buildroot} here
-addFilter("git\.(spec|src):.* rpm-buildroot-usage %prep DESTDIR = %{buildroot}")
-
 # git-core-doc requires git-core, which provides the symlink target
 addFilter("git(-core-doc)?\..*: W: dangling-relative-symlink /usr/share/doc/git/contrib/hooks ../../../git-core/contrib/hooks")
 

git.spec

@@ -82,7 +82,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.17.1
+Version:        2.17.2
 Release:        2%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -124,8 +124,15 @@ Patch3:         0001-daemon.c-fix-condition-for-redirecting-stderr.patch
 # https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/
 Patch4:         0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch
 # https://bugzilla.redhat.com/1582555
+# https://github.com/gitster/git/commit/b611396e97.patch
 # https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/
-Patch5:         0001-packfile-Correct-zlib-buffer-handling.patch
+Patch5:         0001-packfile-correct-zlib-buffer-handling.patch
+# https://github.com/gitster/git/commit/f2cb01d35
+# https://public-inbox.org/git/20180601174644.13055-1-phillip.wood@talktalk.net/
+Patch6:         0001-add-p-fix-counting-empty-context-lines-in-edited-pat.patch
+# https://bugzilla.redhat.com/1653143
+# https://github.com/git/git/commit/321fd82389.patch
+Patch7:         0001-run-command-mark-path-lookup-errors-with-ENOENT.patch
 
 %if %{with docs}
 BuildRequires:  asciidoc >= 8.4.1
@@ -187,7 +194,7 @@ BuildRequires:  gnupg
 BuildRequires:  highlight
 %endif
 BuildRequires:  httpd
-%if 0%{?fedora}
+%if 0%{?fedora} && %{_arch} != s390x
 BuildRequires:  jgit
 %endif
 BuildRequires:  mod_dav_svn
@@ -424,19 +431,7 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir
 
 # Ensure a blank line follows autosetup, el6 chokes otherwise
 # https://bugzilla.redhat.com/1310704
-#autosetup -p1 -n %{name}-%{version}%{?rcrev}
-
-# Setup/apply patches manually to limit the zlib patch to aarch64
-# until it is accepted upstream
-%setup -q -n %{name}-%{version}%{?rcrev}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%ifarch aarch64
-%patch5 -p1
-%endif
+%autosetup -p1 -n %{name}-%{version}%{?rcrev}
 
 # Install print-failed-test-output script
 install -p -m 755 %{SOURCE99} print-failed-test-output
@@ -463,8 +458,6 @@ LDFLAGS = %{__global_ldflags}
 NEEDS_CRYPTO_WITH_SSL = 1
 USE_LIBPCRE2 = 1
 ETC_GITCONFIG = %{_sysconfdir}/gitconfig
-DESTDIR = %{buildroot}
-INSTALL = install -p
 GITWEB_PROJECTROOT = %{_localstatedir}/lib/git
 GNU_ROFF = 1
 NO_CROSS_DIRECTORY_HARDLINKS = 1
@@ -512,18 +505,18 @@ rm -rf perl/Git/LoadCPAN{.pm,/}
 grep -rlZ '^use Git::LoadCPAN::' | xargs -r0 sed -i 's/Git::LoadCPAN:://g'
 
 %build
-make %{?_smp_mflags} all %{?with_docs:doc}
+%make_build all %{?with_docs:doc}
 
 make -C contrib/emacs
 
 %if %{libsecret}
-make -C contrib/credential/libsecret/
+%make_build -C contrib/credential/libsecret/
 %endif
 make -C contrib/credential/netrc/
 
-make -C contrib/diff-highlight/
+%make_build -C contrib/diff-highlight/
 
-make -C contrib/subtree/
+%make_build -C contrib/subtree/
 
 # Fix shebang in a few places to silence rpmlint complaints
 #
@@ -546,7 +539,7 @@ sed -i -e '1s@#!\( */usr/bin/env python\|%{__python2}\)$@#!%{__python3}@' \
 %endif
 
 %install
-make %{?_smp_mflags} install %{?with_docs:install-doc}
+%make_install %{?with_docs:install-doc}
 
 # symlink %%{gitexecdir} copies of git, git-shell, and git-upload-pack
 for i in git git-shell git-upload-pack; do
@@ -570,7 +563,7 @@ install -pm 755 contrib/credential/libsecret/git-credential-libsecret \
 install -pm 755 contrib/credential/netrc/git-credential-netrc \
     %{buildroot}%{gitexecdir}
 
-make -C contrib/subtree install %{?with_docs:install-doc}
+%make_install -C contrib/subtree %{?with_docs:install-doc}
 
 mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d
 install -pm 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/httpd/conf.d/%{gitweb_httpd_conf}
@@ -902,6 +895,20 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Mon Nov 26 2018 Todd Zullinger <tmz@pobox.com> - 2.17.2-2
+- apply upstream run-command PATH fix (CVE-2018-19486)
+
+* Fri Oct 05 2018 Todd Zullinger <tmz@pobox.com> - 2.17.2-1
+- Update to 2.17.2 (CVE-2018-17456)
+
+* Thu Jun 14 2018 Todd Zullinger <tmz@pobox.com> - 2.17.1-3
+- Apply upstream zlib buffer handling patch (#1582555)
+
+* Wed May 30 2018 Todd Zullinger <tmz@pobox.com>
+- Disable jgit tests on s390x, they're unreliable
+- Use %%make_build and %%make_install
+- add -p: fix counting empty context lines in edited patches
+
 * Tue May 29 2018 Todd Zullinger <tmz@pobox.com> - 2.17.1-2
 - packfile: Correct zlib buffer handling (#1582555)
 

sources

@@ -1,2 +1,2 @@
-SHA512 (git-2.17.1.tar.xz) = 77c27569d40fbae1842130baa0cdda674a02e384631bd8fb1f2ddf67ce372dd4903b2ce6b4283a4ae506cdedd5daa55baa2afe6a6689528511e24e4beb864960
-SHA512 (git-2.17.1.tar.sign) = 90fd436a1df4a154afa36a4aaea8fa447db703ca42197f5f4507c81f96076d5f20006c265506326958f5e0b670b72b11bc37ae4bebbfee0f6ba9d9274cf71017
+SHA512 (git-2.17.2.tar.xz) = 2203a0437836360cafb0052b0f34a86363b81262d7547d1ed15dcad435a85170d85c385cb2d8406085e21004ed81ae3c55080b1e47a1cf094cb4190b98d9d6c1
+SHA512 (git-2.17.2.tar.sign) = 4c2e6aba73848d6983f6b9bc23296de2480cc99bf83568c765ea111d10b7f9745be618ce4211ad31ff3eecfb493ea56ef2352f204c3785da817501d6645608a8