update to 2.34.3 (#2073414, CVE-2022-24765)

Per the upstream release notes from 2.30.3¹:

    This release addresses the security issue CVE-2022-24765.

     * CVE-2022-24765:
       On multi-user machines, Git users might find themselves
       unexpectedly in a Git worktree, e.g. when another user created a
       repository in `C:\.git`, in a mounted network drive or in a
       scratch space. Merely having a Git-aware prompt that runs `git
       status` (or `git diff`) and navigating to a directory which is
       supposedly not a Git worktree, or opening such a directory in an
       editor or IDE such as VS Code or Atom, will potentially run
       commands defined by that other user.

and 2.30.4²:

    This release contains minor fix-ups for the changes that went into
    Git 2.30.3, which was made to address CVE-2022-24765.

     * The code that was meant to parse the new `safe.directory`
       configuration variable was not checking what configuration
       variable was being fed to it, which has been corrected.

     * '*' can be used as the value for the `safe.directory` variable to
       signal that the user considers that any directory is safe.

¹ https://github.com/git/git/raw/v2.30.3/Documentation/RelNotes/2.30.3.txt
² https://github.com/git/git/raw/v2.30.4/Documentation/RelNotes/2.30.4.txt

0001-t-lib-gpg-use-with-colons-when-parsing-gpgsm-output.patch

@@ -0,0 +1,47 @@
+From e155951262e6dea419db8b9010342b08b487f96a Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Thu, 25 Nov 2021 05:05:08 -0500
+Subject: [PATCH] t/lib-gpg: use --with-colons when parsing gpgsm output
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The output of `gpgsm -K` changed in gnupg-2.3¹, breaking the parsing
+used by the GPGSM prereq.
+
+Use the `--with-colons` options for stable, machine-parseable output.
+This allows the grep/cut/tr pipeline (and the subsequent echo which
+appends ' S relax') to be replaced with a single call to awk to create
+the ${GNUPGHOME}/trustlist.txt file.
+
+¹ https://dev.gnupg.org/rGe7d70923901e is the change in 2.3, while
+  https://dev.gnupg.org/rG9c57de75cf36 is the similar change in 2.2.
+
+  The latter says: Here in 2.2 we keep the string "fingerprint:" and no
+  not change it to "sha1 fpr" as we did in master (2.3). (sic)
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-gpg.sh | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
+index a3f285f515..cbbf74e725 100644
+--- a/t/lib-gpg.sh
++++ b/t/lib-gpg.sh
+@@ -72,12 +72,10 @@ test_lazy_prereq GPGSM '
+ 		--passphrase-fd 0 --pinentry-mode loopback \
+ 		--import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 &&
+ 
+-	gpgsm --homedir "${GNUPGHOME}" -K |
+-	grep fingerprint: |
+-	cut -d" " -f4 |
+-	tr -d "\\n" >"${GNUPGHOME}/trustlist.txt" &&
++	gpgsm --homedir "${GNUPGHOME}" -K --with-colons |
++	awk -F ":" "/^fpr:/ {printf \"%s S relax\\n\", \$10}" \
++		>"${GNUPGHOME}/trustlist.txt" &&
+ 
+-	echo " S relax" >>"${GNUPGHOME}/trustlist.txt" &&
+ 	echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \
+ 	       -u committer@example.com -o /dev/null --sign -
+ '

0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch

@@ -1,73 +0,0 @@
-From 89ccbc15948db9ddbf74530e3fd66dd78ae897ae Mon Sep 17 00:00:00 2001
-From: Todd Zullinger <tmz@pobox.com>
-Date: Sun, 21 Aug 2022 13:49:57 -0400
-Subject: [PATCH] t/lib-httpd: try harder to find a port for apache
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When running multiple builds concurrently, tests which run daemons, like
-apache httpd, sometimes conflict with each other, leading to spurious
-failures:
-
-    ++ /usr/sbin/httpd -d '/tmp/git-t.ck9I/trash directory.t9118-git-svn-funky-branch-names/httpd' \
-       -f /builddir/build/BUILD/git-2.37.2/t/lib-httpd/apache.conf -DDAV -DSVN -c 'Listen 127.0.0.1:9118' \
-       -k start
-    (98)Address already in use: AH00072: make_sock: could not bind to address 127.0.0.1:9118
-    no listening sockets available, shutting down
-    AH00015: Unable to open logs
-    ++ test 1 -ne 0
-
-Try a bit harder to find an open port to use to avoid these intermittent
-failures.  If we fail to start httpd, increment the port number and try
-again.  By default, we make 3 attempts.  This may be overridden by
-setting GIT_TEST_START_HTTPD_TRIES to a different value.
-
-Helped-by: Ondřej Pohořelský <opohorel@redhat.com>
-Signed-off-by: Todd Zullinger <tmz@pobox.com>
----
- t/lib-httpd.sh | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
-index 2fb1b2ae56..4afdf5a6aa 100644
---- a/t/lib-httpd.sh
-+++ b/t/lib-httpd.sh
-@@ -206,19 +206,26 @@ enable_cgipassauth () {
- }
- 
- start_httpd() {
--	prepare_httpd >&3 2>&4
--
- 	test_atexit stop_httpd
- 
--	"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
--		-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
--		-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
--		>&3 2>&4
--	if test $? -ne 0
--	then
--		cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
--		test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
--	fi
-+	i=0
-+	while test $i -lt ${GIT_TEST_START_HTTPD_TRIES:-3}
-+	do
-+		i=$(($i + 1))
-+		prepare_httpd >&3 2>&4
-+		say >&3 "Starting httpd on port $LIB_HTTPD_PORT"
-+		"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
-+			-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
-+			-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
-+			>&3 2>&4
-+		test $? -eq 0 && return
-+		LIB_HTTPD_PORT=$(($LIB_HTTPD_PORT + 1))
-+		export LIB_HTTPD_PORT
-+		# clean up modules symlink, prepare_httpd will re-create it
-+		rm -f "$HTTPD_ROOT_PATH/modules"
-+	done
-+	cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
-+	test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
- }
- 
- stop_httpd() {

0002-t-lib-git-daemon-try-harder-to-find-a-port.patch

@@ -1,88 +0,0 @@
-From e90e1068ddc9cfa3badd23b16a46c57ed6d8308a Mon Sep 17 00:00:00 2001
-From: Todd Zullinger <tmz@pobox.com>
-Date: Fri, 26 Aug 2022 18:28:44 -0400
-Subject: [PATCH] t/lib-git-daemon: try harder to find a port
-
-As with the previous commit, try harder to find an open port to avoid
-intermittent failures on busy/shared build systems.
-
-By default, we make 3 attempts.  This may be overridden by setting
-GIT_TEST_START_GIT_DAEMON_TRIES to a different value.
-
-Signed-off-by: Todd Zullinger <tmz@pobox.com>
----
- t/lib-git-daemon.sh | 60 ++++++++++++++++++++++++++++-----------------
- 1 file changed, 37 insertions(+), 23 deletions(-)
-
-diff --git a/t/lib-git-daemon.sh b/t/lib-git-daemon.sh
-index e62569222b..c3e8dda9ff 100644
---- a/t/lib-git-daemon.sh
-+++ b/t/lib-git-daemon.sh
-@@ -51,30 +51,44 @@ start_git_daemon() {
- 		registered_stop_git_daemon_atexit_handler=AlreadyDone
- 	fi
- 
--	say >&3 "Starting git daemon ..."
--	mkfifo git_daemon_output
--	${LIB_GIT_DAEMON_COMMAND:-git daemon} \
--		--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
--		--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
--		--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
--		"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
--		>&3 2>git_daemon_output &
--	GIT_DAEMON_PID=$!
--	{
--		read -r line <&7
--		printf "%s\n" "$line" >&4
--		cat <&7 >&4 &
--	} 7<git_daemon_output &&
-+	i=0
-+	while test $i -lt ${GIT_TEST_START_GIT_DAEMON_TRIES:-3}
-+	do
-+		say >&3 "Starting git daemon on port $LIB_GIT_DAEMON_PORT ..."
-+		mkfifo git_daemon_output
-+		${LIB_GIT_DAEMON_COMMAND:-git daemon} \
-+			--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
-+			--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
-+			--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
-+			"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
-+			>&3 2>git_daemon_output &
-+		GIT_DAEMON_PID=$!
-+		{
-+			read -r line <&7
-+			printf "%s\n" "$line" >&4
-+			cat <&7 >&4 &
-+		} 7<git_daemon_output &&
- 
--	# Check expected output
--	if test x"$(expr "$line" : "\[[0-9]*\] \(.*\)")" != x"Ready to rumble"
--	then
--		kill "$GIT_DAEMON_PID"
--		wait "$GIT_DAEMON_PID"
--		unset GIT_DAEMON_PID
--		test_skip_or_die GIT_TEST_GIT_DAEMON \
--			"git daemon failed to start"
--	fi
-+		# Check expected output
-+		output="$(expr "$line" : "\[[0-9]*\] \(.*\)")"
-+		# Return if found
-+		test x"$output" = x"Ready to rumble" && return
-+		# Increment port for retry if not found
-+		LIB_GIT_DAEMON_PORT=$(($LIB_GIT_DAEMON_PORT + 1))
-+		export LIB_GIT_DAEMON_PORT
-+		GIT_DAEMON_HOST_PORT=127.0.0.1:$LIB_GIT_DAEMON_PORT
-+		GIT_DAEMON_URL=git://$GIT_DAEMON_HOST_PORT
-+		# unset GIT_DAEMON_PID; remove the fifo & pid file
-+		GIT_DAEMON_PID=
-+		rm -f git_daemon_output "$GIT_DAEMON_PIDFILE"
-+	done
-+
-+	# Clean up and return failure
-+	kill "$GIT_DAEMON_PID"
-+	wait "$GIT_DAEMON_PID"
-+	unset GIT_DAEMON_PID
-+	test_skip_or_die GIT_TEST_GIT_DAEMON \
-+		"git daemon failed to start"
- }
- 
- stop_git_daemon() {

0002-t-lib-gpg-reload-gpg-components-after-updating-trust.patch

@@ -0,0 +1,31 @@
+From 93299b9b221da01d4055528f7c760d04ee83b82b Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Thu, 25 Nov 2021 08:07:32 -0500
+Subject: [PATCH] t/lib-gpg: reload gpg components after updating trustlist
+
+With gpgsm from gnupg-2.3, the changes to the trustlist.txt do not
+appear to be picked up without refreshing the gpg-agent.  Use the 'all'
+keyword to reload all of the gpg components.  The scdaemon is started as
+a child of gpg-agent, for example.
+
+We used to have a --kill at this spot, but I removed it in 2e285e7803
+(t/lib-gpg: drop redundant killing of gpg-agent, 2019-02-07).  It seems
+like it might be necessary (again) for 2.3.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-gpg.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
+index cbbf74e725..d675698a2d 100644
+--- a/t/lib-gpg.sh
++++ b/t/lib-gpg.sh
+@@ -75,6 +75,7 @@ test_lazy_prereq GPGSM '
+ 	gpgsm --homedir "${GNUPGHOME}" -K --with-colons |
+ 	awk -F ":" "/^fpr:/ {printf \"%s S relax\\n\", \$10}" \
+ 		>"${GNUPGHOME}/trustlist.txt" &&
++	(gpgconf --reload all || : ) &&
+ 
+ 	echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \
+ 	       -u committer@example.com -o /dev/null --sign -

0003-t-lib-git-svn-try-harder-to-find-a-port.patch

@@ -1,85 +0,0 @@
-From 41423d666fd52eaa6aa2b44a0de1b81d0857ca06 Mon Sep 17 00:00:00 2001
-From: Todd Zullinger <tmz@pobox.com>
-Date: Fri, 26 Aug 2022 18:28:44 -0400
-Subject: [PATCH] t/lib-git-svn: try harder to find a port
-
-As with the previous commits, try harder to find an open port to avoid
-intermittent failures on busy/shared build systems.
-
-By default, we make 3 attempts.  This may be overridden by setting
-GIT_TEST_START_SVNSERVE_TRIES to a different value.
-
-Run svnserve in daemon mode and use 'test_atexit' to stop it.  This is
-cleaner than running in the foreground with --listen-once and having to
-manage the PID ourselves.
-
-Signed-off-by: Todd Zullinger <tmz@pobox.com>
----
- t/lib-git-svn.sh                    | 34 +++++++++++++++++++++++++----
- t/t9113-git-svn-dcommit-new-file.sh |  1 -
- 2 files changed, 30 insertions(+), 5 deletions(-)
-
-diff --git a/t/lib-git-svn.sh b/t/lib-git-svn.sh
-index ea28971e8e..04e660e2ba 100644
---- a/t/lib-git-svn.sh
-+++ b/t/lib-git-svn.sh
-@@ -17,6 +17,7 @@ fi
- GIT_DIR=$PWD/.git
- GIT_SVN_DIR=$GIT_DIR/svn/refs/remotes/git-svn
- SVN_TREE=$GIT_SVN_DIR/svn-tree
-+SVNSERVE_PIDFILE="$PWD"/daemon.pid
- test_set_port SVNSERVE_PORT
- 
- svn >/dev/null 2>&1
-@@ -119,10 +120,35 @@ require_svnserve () {
- }
- 
- start_svnserve () {
--	svnserve --listen-port $SVNSERVE_PORT \
--		 --root "$rawsvnrepo" \
--		 --listen-once \
--		 --listen-host 127.0.0.1 &
-+	test_atexit stop_svnserve
-+
-+	i=0
-+	while test $i -lt ${GIT_TEST_START_SVNSERVE_TRIES:-3}
-+	do
-+		say >&3 "Starting svnserve on port $SVNSERVE_PORT ..."
-+		svnserve --listen-port $SVNSERVE_PORT \
-+			 --root "$rawsvnrepo" \
-+			 --daemon --pid-file="$SVNSERVE_PIDFILE" \
-+			 --listen-host 127.0.0.1
-+		ret=$?
-+		# increment port and retry if unsuccessful
-+		if test $ret -ne 0
-+		then
-+			SVNSERVE_PORT=$(($SVNSERVE_PORT + 1))
-+			export SVNSERVE_PORT
-+		else
-+			break
-+		fi
-+	done
-+}
-+
-+stop_svnserve () {
-+	say >&3 "Stopping svnserve ..."
-+	SVNSERVE_PID="$(cat "$SVNSERVE_PIDFILE")"
-+	if test -n "$SVNSERVE_PID"
-+	then
-+		kill "$SVNSERVE_PID" 2>/dev/null
-+	fi
- }
- 
- prepare_utf8_locale () {
-diff --git a/t/t9113-git-svn-dcommit-new-file.sh b/t/t9113-git-svn-dcommit-new-file.sh
-index e8479cec7a..5925891f5d 100755
---- a/t/t9113-git-svn-dcommit-new-file.sh
-+++ b/t/t9113-git-svn-dcommit-new-file.sh
-@@ -28,7 +28,6 @@ test_expect_success 'create files in new directory with dcommit' "
- 	echo hello > git-new-dir/world &&
- 	git update-index --add git-new-dir/world &&
- 	git commit -m hello &&
--	start_svnserve &&
- 	git svn dcommit
- 	"
- 

0003-t-lib-gpg-kill-all-gpg-components-not-just-gpg-agent.patch

@@ -0,0 +1,40 @@
+From da340dd76714474126f73f6b53087da0ffd4e8d8 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 26 Nov 2021 21:11:54 -0500
+Subject: [PATCH] t/lib-gpg: kill all gpg components, not just gpg-agent
+
+The gpg-agent is one of several processes that newer releases of GnuPG
+start automatically.  Issue a kill to each of them to ensure they do not
+affect separate tests.  (Yes, the separate GNUPGHOME should do that
+already. If we find that is case, we could drop the --kill entirely.)
+
+In terms of compatibility, the 'all' keyword was added to the --kill &
+--reload options in GnuPG 2.1.18.  Debian and RHEL are often used as
+indicators of how a change might affect older systems we often try to
+support.
+
+    - Debian Strech (old old stable), which has limited security support
+      until June 2022, has GnuPG 2.1.18 (or 2.2.x in backports).
+
+    - CentOS/RHEL 7, which is supported until June 2024, has GnuPG
+      2.0.22, which lacks the --kill option, so the change won't have
+      any impact.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-gpg.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
+index d675698a2d..2bb309a8c1 100644
+--- a/t/lib-gpg.sh
++++ b/t/lib-gpg.sh
+@@ -40,7 +40,7 @@ test_lazy_prereq GPG '
+ 		#		> lib-gpg/ownertrust
+ 		mkdir "$GNUPGHOME" &&
+ 		chmod 0700 "$GNUPGHOME" &&
+-		(gpgconf --kill gpg-agent || : ) &&
++		(gpgconf --kill all || : ) &&
+ 		gpg --homedir "${GNUPGHOME}" --import \
+ 			"$TEST_DIRECTORY"/lib-gpg/keyring.gpg &&
+ 		gpg --homedir "${GNUPGHOME}" --import-ownertrust \

0004-t4202-match-gpgsm-output-from-GnuPG-2.3.patch

@@ -0,0 +1,33 @@
+From d1efcac68414b80cc0fd7b7e3b4781f313d98697 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Sat, 27 Nov 2021 05:31:13 -0500
+Subject: [PATCH] t4202: match gpgsm output from GnuPG 2.3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In GnuPG 2.3, the output from gpgsm when a certificate is not found
+differs from that of earlier versions.  This appears to be a bug¹, but
+there are several releases in use now which have this output.  Extend
+the grep pattern to catch it rather than failing the test.
+
+¹ https://lists.gnupg.org/pipermail/gnupg-devel/2021-November/034991.html
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/t4202-log.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/t4202-log.sh b/t/t4202-log.sh
+index 7884e3d46b..c69f9ac469 100755
+--- a/t/t4202-log.sh
++++ b/t/t4202-log.sh
+@@ -1851,7 +1851,7 @@ test_expect_success GPGSM 'log --graph --show-signature for merged tag x509 miss
+ 	git merge --no-ff -m msg signed_tag_x509_nokey &&
+ 	GNUPGHOME=. git log --graph --show-signature -n1 plain-x509-nokey >actual &&
+ 	grep "^|\\\  merged tag" actual &&
+-	grep "^| | gpgsm: certificate not found" actual
++	grep -Ei "^| | gpgsm:( failed to find the)? certificate:? not found" actual
+ '
+ 
+ test_expect_success GPGSM 'log --graph --show-signature for merged tag x509 bad signature' '

0005-gpg-interface-match-SIG_CREATED-if-it-s-the-first-li.patch

@@ -0,0 +1,48 @@
+From edb5eafc9945b2d400c2d777a9750cee06ab500f Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Sat, 27 Nov 2021 02:55:47 -0500
+Subject: [PATCH] gpg-interface: match SIG_CREATED if it's the first line
+
+In `sign_buffer_gpg`, "\n[GNUPG:] SIG_CREATED " in the gpg status output
+is used to signal a successful signature.  This fails if "SIG_CREATED"
+is the first line in the gpg output, as is the case with `gpgsm` in
+GnuPG 2.3.
+
+In earlier versions of GnuPG, there was a debug line in the `gpgsm`
+output which allowed the check in `sign_buffer_gpg` to work.  This debug
+line was removed from GnuPG in a6d2f3133 (sm: Replace some debug message
+by log_error or log_info, 2020-04-21).
+
+The result is the `gpgsm --status-fd` output for a signing operation
+starts with "[GNUPG:] SIG_CREATED" and we mistakenly report "gpg failed
+to sign the data" to the user.  The `gpg` command has other `[GNUPG:]`
+output for signing operations, so it is not affected by this issue.
+It's best not to rely on something as subtle and out of our control as
+the order if the gnupg status messages.
+
+This likely went unnoticed because the GPGSM test prereq was failing for
+a different reason with GnuPG 2.3.  No tests failed, they were simply
+skipped due to the missing GPGSM prereq.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ gpg-interface.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gpg-interface.c b/gpg-interface.c
+index 3e7255a2a9..d179dfb3ab 100644
+--- a/gpg-interface.c
++++ b/gpg-interface.c
+@@ -859,6 +859,12 @@ static int sign_buffer_gpg(struct strbuf *buffer, struct strbuf *signature,
+ 
+ 	bottom = signature->len;
+ 
++	/*
++	 * Ensure gpg_status begins with a newline or we'll fail to match if
++	 * the SIG_CREATED line is at the start of the gpg output.
++	 */
++	strbuf_addch(&gpg_status, '\n');
++
+ 	/*
+ 	 * When the username signingkey is bad, program could be terminated
+ 	 * because gpg exits without reading and then write gets SIGPIPE.

git-2.52-sanitize-sideband-channel-messages.patch

@@ -1,275 +0,0 @@
-From 65e88e659008e2cbf79cf44975406ff0d569a3a9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
-Date: Thu, 20 Nov 2025 12:24:59 +0100
-Subject: [PATCH] sideband: mask control characters
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The output of `git clone` is a vital component for understanding what
-has happened when things go wrong. However, these logs are partially
-under the control of the remote server (via the "sideband", which
-typically contains what the remote `git pack-objects` process sends to
-`stderr`), and is currently not sanitized by Git.
-
-This makes Git susceptible to ANSI escape sequence injection (see
-CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
-attackers to corrupt terminal state, to hide information, and even to
-insert characters into the input buffer (i.e. as if the user had typed
-those characters).
-
-To plug this vulnerability, disallow any control character in the
-sideband, replacing them instead with the common `^<letter/symbol>`
-(e.g. `^[` for `\x1b`, `^A` for `\x01`).
-
-There is likely a need for more fine-grained controls instead of using a
-"heavy hammer" like this, which will be introduced subsequently.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-sideband: introduce an "escape hatch" to allow control characters
-
-The preceding commit fixed the vulnerability whereas sideband messages
-(that are under the control of the remote server) could contain ANSI
-escape sequences that would be sent to the terminal verbatim.
-
-However, this fix may not be desirable under all circumstances, e.g.
-when remote servers deliberately add coloring to their messages to
-increase their urgency.
-
-To help with those use cases, give users a way to opt-out of the
-protections: `sideband.allowControlCharacters`.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-sideband: do allow ANSI color sequences by default
-
-The preceding two commits introduced special handling of the sideband
-channel to neutralize ANSI escape sequences before sending the payload
-to the terminal, and `sideband.allowControlCharacters` to override that
-behavior.
-
-However, some `pre-receive` hooks that are actively used in practice
-want to color their messages and therefore rely on the fact that Git
-passes them through to the terminal.
-
-In contrast to other ANSI escape sequences, it is highly unlikely that
-coloring sequences can be essential tools in attack vectors that mislead
-Git users e.g. by hiding crucial information.
-
-Therefore we can have both: Continue to allow ANSI coloring sequences to
-be passed to the terminal, and neutralize all other ANSI escape
-sequences.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-sideband: default to allowControlCharacters=true
-
-We don't want to change the default Git behaviour, just add the option
-to filter control characters.
-
-Signed-off-by: Ondřej Pohořelský <opohorel@redhat.com>
----
- Documentation/config.adoc           |  2 +
- Documentation/config/sideband.adoc  | 16 ++++++
- sideband.c                          | 78 ++++++++++++++++++++++++++++-
- t/t5409-colorize-remote-messages.sh | 31 ++++++++++++
- 4 files changed, 125 insertions(+), 2 deletions(-)
- create mode 100644 Documentation/config/sideband.adoc
-
-diff --git a/Documentation/config.adoc b/Documentation/config.adoc
-index 62eebe7c54..dcea3c0c15 100644
---- a/Documentation/config.adoc
-+++ b/Documentation/config.adoc
-@@ -523,6 +523,8 @@ include::config/sequencer.adoc[]
- 
- include::config/showbranch.adoc[]
- 
-+include::config/sideband.adoc[]
-+
- include::config/sparse.adoc[]
- 
- include::config/splitindex.adoc[]
-diff --git a/Documentation/config/sideband.adoc b/Documentation/config/sideband.adoc
-new file mode 100644
-index 0000000000..c9ba24a02c
---- /dev/null
-+++ b/Documentation/config/sideband.adoc
-@@ -0,0 +1,16 @@
-+sideband.allowControlCharacters::
-+	By default, control characters that are delivered via the sideband
-+	are NOT masked. Use this config setting to prevent potentially
-+	unwanted ANSI escape sequences from being sent to the terminal:
-++
-+--
-+	color::
-+		Allow ANSI color sequences, line feeds and horizontal tabs,
-+		but mask all other control characters.
-+	false::
-+		Mask all control characters other than line feeds and
-+		horizontal tabs.
-+	true::
-+		Allow all control characters to be sent to the terminal.
-+		This is the default.
-+--
-\ No newline at end of file
-diff --git a/sideband.c b/sideband.c
-index ea7c25211e..88d1b44a7a 100644
---- a/sideband.c
-+++ b/sideband.c
-@@ -26,6 +26,12 @@ static struct keyword_entry keywords[] = {
- 	{ "error",	GIT_COLOR_BOLD_RED },
- };
- 
-+static enum {
-+	ALLOW_NO_CONTROL_CHARACTERS = 0,
-+	ALLOW_ALL_CONTROL_CHARACTERS = 1,
-+	ALLOW_ANSI_COLOR_SEQUENCES = 2
-+} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
-+
- /* Returns a color setting (GIT_COLOR_NEVER, etc). */
- static enum git_colorbool use_sideband_colors(void)
- {
-@@ -39,6 +45,25 @@ static enum git_colorbool use_sideband_colors(void)
- 	if (use_sideband_colors_cached != GIT_COLOR_UNKNOWN)
- 		return use_sideband_colors_cached;
- 
-+	switch (repo_config_get_maybe_bool(the_repository, "sideband.allowcontrolcharacters", &i)) {
-+	case 0: /* Boolean value */
-+		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
-+			ALLOW_NO_CONTROL_CHARACTERS;
-+		break;
-+	case -1: /* non-Boolean value */
-+		if (repo_config_get_string_tmp(the_repository, "sideband.allowcontrolcharacters",
-+					      &value))
-+			; /* huh? `get_maybe_bool()` returned -1 */
-+		else if (!strcmp(value, "color"))
-+			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
-+		else
-+			warning(_("unrecognized value for `sideband."
-+				  "allowControlCharacters`: '%s'"), value);
-+		break;
-+	default:
-+		break; /* not configured */
-+	}
-+
- 	if (!repo_config_get_string_tmp(the_repository, key, &value))
- 		use_sideband_colors_cached = git_config_colorbool(key, value);
- 	else if (!repo_config_get_string_tmp(the_repository, "color.ui", &value))
-@@ -66,6 +91,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
- 		list_config_item(list, prefix, keywords[i].keyword);
- }
- 
-+static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
-+{
-+	int i;
-+
-+	/*
-+	 * Valid ANSI color sequences are of the form
-+	 *
-+	 * ESC [ [<n> [; <n>]*] m
-+	 */
-+
-+	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
-+	    n < 3 || src[0] != '\x1b' || src[1] != '[')
-+		return 0;
-+
-+	for (i = 2; i < n; i++) {
-+		if (src[i] == 'm') {
-+			strbuf_add(dest, src, i + 1);
-+			return i;
-+		}
-+		if (!isdigit(src[i]) && src[i] != ';')
-+			break;
-+	}
-+
-+	return 0;
-+}
-+
-+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
-+{
-+	int i;
-+
-+	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
-+		strbuf_add(dest, src, n);
-+		return;
-+	}
-+
-+	strbuf_grow(dest, n);
-+	for (; n && *src; src++, n--) {
-+		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
-+			strbuf_addch(dest, *src);
-+		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
-+			src += i;
-+			n -= i;
-+		} else {
-+			strbuf_addch(dest, '^');
-+			strbuf_addch(dest, 0x40 + *src);
-+		}
-+	}
-+}
-+
- /*
-  * Optionally highlight one keyword in remote output if it appears at the start
-  * of the line. This should be called for a single line only, which is
-@@ -81,7 +155,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
- 	int i;
- 
- 	if (!want_color_stderr(use_sideband_colors())) {
--		strbuf_add(dest, src, n);
-+		strbuf_add_sanitized(dest, src, n);
- 		return;
- 	}
- 
-@@ -114,7 +188,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
- 		}
- 	}
- 
--	strbuf_add(dest, src, n);
-+	strbuf_add_sanitized(dest, src, n);
- }
- 
- 
-diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
-index fa5de4500a..2d40d8c640 100755
---- a/t/t5409-colorize-remote-messages.sh
-+++ b/t/t5409-colorize-remote-messages.sh
-@@ -98,4 +98,35 @@ test_expect_success 'fallback to color.ui' '
- 	grep "<BOLD;RED>error<RESET>: error" decoded
- '
- 
-+test_expect_success 'disallow (color) control sequences in sideband' '
-+	write_script .git/color-me-surprised <<-\EOF &&
-+	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
-+	exec "$@"
-+	EOF
-+	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
-+	test_commit need-at-least-one-commit &&
-+
-+	git -c sideband.allowControlCharacters=color \
-+		clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep RED decoded &&
-+	test_grep "\\^G" stderr &&
-+	tr -dc "\\007" <stderr >actual &&
-+	test_must_be_empty actual &&
-+
-+	rm -rf throw-away &&
-+	git -c sideband.allowControlCharacters=false \
-+		clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep ! RED decoded &&
-+	test_grep "\\^G" stderr &&
-+
-+	rm -rf throw-away &&
-+	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep RED decoded &&
-+	tr -dc "\\007" <stderr >actual &&
-+	test_file_not_empty actual
-+'
-+
- test_done
--- 
-2.51.1
-

git-test-apache-davlockdbtype-config.patch

@@ -1,14 +0,0 @@
-diff -ur b/t/lib-httpd/apache.conf a/t/lib-httpd/apache.conf
---- b/t/lib-httpd/apache.conf	2024-01-09 11:06:46.660868023 +0100
-+++ a/t/lib-httpd/apache.conf	2024-01-09 11:09:09.572713625 +0100
-@@ -272,7 +272,9 @@
- <IfDefine DAV>
- 	LoadModule dav_module modules/mod_dav.so
- 	LoadModule dav_fs_module modules/mod_dav_fs.so
--
-+	<IfDirective DavLockDBType>
-+   		DavLockDBType sdbm
-+	</IfDirective>
- 	DAVLockDB DAVLock
- 	<Location /dumb/>
- 		Dav on

git.rpmlintrc

@@ -1,3 +1,5 @@
+from Config import *
+
 # the dictionary is a bit limited
 addFilter("git.* spelling-error %description .* subpackages")
 addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject|subtree)")
@@ -5,9 +7,6 @@ addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject
 # git-core-doc requires git-core, which provides the symlink target
 addFilter("git(-core-doc)?\..*: W: dangling-relative-symlink /usr/share/doc/git/contrib/hooks ../../../git-core/contrib/hooks")
 
-# gitk requires git, which provides the symlink target
-addFilter("gitk\.noarch: W: dangling-relative-symlink /usr/share/bash-completion/completions/gitk git")
-
 # git-gui requires git, which provides the git binary
 addFilter("git-gui.noarch: W: desktopfile-without-binary /usr/share/applications/git-gui.desktop git")
 
@@ -24,19 +23,5 @@ addFilter("git-core\..*: W: no-manual-page-for-binary")
 # similarly ignore the warning when git-cvs and git-p4 are disabled
 addFilter("git.* obsolete-not-provided git-(cvs|gnome-keyring|p4)")
 
-# git-svn has both man and html docs and only a single command
-addFilter('git-svn\..*: W: package-with-huge-docs')
-
-# ignore potential "bashisms" in docs
-addFilter('git-core-doc\.noarch: W: potential-bashisms /usr/share/doc/git/')
-
-# ignore unused-direct-shlib-dependency for libpcre; while it probably could be
-# removed from some binaries, the cost of doing so isn't worth the gain.
-addFilter('git-(core|daemon)\..*: W: unused-direct-shlib-dependency .* /lib64/libpcre2-.*')
-
-# ignore duplicate gvimdiff/nvimdiff files; they are only 29 bytes, sourcing the same base
-# vimdiff mergetool
-addFilter('git-core\..*: W: files-duplicate /usr/libexec/git-core/mergetools/[gn]vimdiff')
-
-# ignore non-standard-dir-in-var for gitweb (#479613)
-addFilter('gitweb.noarch: W: non-standard-dir-in-var www')
+# we BR emacs which requires emacs-common and provides %{_emacs_version}
+addFilter("git.(spec|src): .* Possible unexpanded macro in: Requires:.*emacs-filesystem >= %{_emacs_version}")

git.skip-test-patterns

@@ -1,28 +1,22 @@
-^ok 1 # SKIP enable client-side http/2 \(missing HTTP2\)$
 expensive 2GB clone test; enable with GIT_TEST_CLONE_2GB=true
 filesystem does not corrupt utf-8
-fsmonitor--daemon is not supported on this platform
 GIT_SKIP_TESTS
 missing AUTOIDENT
-missing BUILTIN_TXT_
 missing CASE_INSENSITIVE_FS
 missing DONTHAVEIT
-missing ([!]LONG_IS_64BIT,)?EXPENSIVE
-missing FSMONITOR_DAEMON
+missing EXPENSIVE
 missing JGIT
 missing !?LAZY_(TRUE|FALSE)
 missing MINGW
 missing NATIVE_CRLF
 missing !PCRE
 missing !PTHREADS
-missing !REFFILES
 missing RFC1991
 missing RUNTIME_PREFIX
 missing SYMLINKS_WINDOWS
 missing TAR_NEEDS_PAX_FALLBACK
 missing UTF8_NFD_TO_NFC
 missing WINDOWS
-skipped: skip all tests in t5559
 skipping case insensitive tests
 skipping git p4 tests
 skipping remote-svn tests, python not available
@@ -30,4 +24,3 @@ skipping svn-info test
 skipping Windows-(only path|specific) tests
 Test requiring writable / skipped
 used to test external credential helpers
-You must set env var GIT_TEST_ALLOW_SUDO=YES in order to run this test

print-failed-test-output

@@ -10,17 +10,4 @@ for exit_file in t/test-results/*.exit; do
     printf '\n%s\n%s\n%s\n' "$sep" "$out_file" "$sep"
     cat "$out_file"
 done
-
-# tar up test-results & $testdir, then print base64 encoded output
-#
-# copy $testdir contents to test-results to avoid absolute paths with tar
-cp -a $testdir/* t/test-results/
-begin='-----BEGIN BASE64 MESSAGE-----'
-end='-----END BASE64 MESSAGE-----'
-printf '\n%s\n' 'test-results and trash directory output follows; decode via:'
-printf '%s\n' "sed -n '/^${begin}$/,/^${end}$/{/^${begin}$/!{/^${end}$/!p}}' build.log | base64 -d >output.tar.zst"
-printf '%s\n' "$begin"
-tar -C t -cf - test-results/ | zstdmt -17 | base64
-printf '%s\n' "$end"
-
 exit 1

sources

@@ -1,2 +1,2 @@
-SHA512 (git-2.52.0.tar.xz) = 965e5ebb72d1f080d64e34bdb75f0bb1689c9dd41dcf63b020d986bad49808ac09bfb1115962bc0c5b95bac8622367ac4cd09aa89266f73d2137fe94c90dd3ed
-SHA512 (git-2.52.0.tar.sign) = a5a68ce131a5763650c477ec01a4de958dd6a946bdea0f613e26bdab41d2df6b3ca63f9028bbe603bf0c834bd415c86e6c616b1ff08cc48aa7c3c61a37b24b74
+SHA512 (git-2.34.3.tar.xz) = 6bf06b11257bdea48bf37e83c16a805a603c3712c08bd771fb08e09c4d26b53e949249ebbf5e6a58b36a16e2defd1ac09c54312669bd4a5a7d48efb4ec15f59a
+SHA512 (git-2.34.3.tar.sign) = 618501c751380c0e918ff6cb8d2ab40ebb95666c28f299916b1b89782b9c3028d1d87e7a0e4f8bb71b7e5488c3bd0c6528f93eeb3e04b42d922dd9d4ee420902