diff --git a/0001-quote-values-containing-CR-character.patch b/0001-quote-values-containing-CR-character.patch deleted file mode 100644 index 1e7b43a5f9499aaefe206412c648308454072e86..0000000000000000000000000000000000000000 --- a/0001-quote-values-containing-CR-character.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 05e9cd64ee23bbadcea6bcffd6660ed02b8eab89 Mon Sep 17 00:00:00 2001 -From: Justin Tobler -Date: Mon, 19 May 2025 21:26:04 -0500 -Subject: [PATCH] config: quote values containing CR character - -When reading the config, values that contain a trailing CRLF are -stripped. If the value itself has a trailing CR, the normal LF that -follows results in the CR being unintentionally stripped. This may lead -to unintended behavior due to the config value written being different -when it gets read. - -One such issue involves a repository with a submodule path containing a -trailing CR. When the submodule gets initialized, the submodule is -cloned without being checked out and has "core.worktree" set to the -submodule path. The git-checkout(1) that gets spawned later reads the -"core.worktree" config value, but without the trailing CR, and -consequently attempts to checkout to a different path than intended. - -If the repository contains a matching path that is a symlink, it is -possible for the submodule repository to be checked out in arbitrary -locations. This is extra bad when the symlink points to the submodule -hooks directory and the submodule repository contains an executable -"post-checkout" hook. Once the submodule repository checkout completes, -the "post-checkout" hook immediately executes. - -To prevent mismatched config state due to misinterpreting a trailing CR, -wrap config values containing CR in double quotes when writing the -entry. This ensures a trailing CR is always separated for an LF and thus -prevented from getting stripped. - -Note that this problem cannot be addressed by just quoting each CR with -"\r". The reading side of the config interprets only a few backslash -escapes, and "\r" is not among them. This fix is sufficient though -because it only affects the CR at the end of a line and any literal CR -in the interior is already preserved. - -Co-authored-by: David Leadbeater -Signed-off-by: Justin Tobler -Signed-off-by: Taylor Blau ---- - config.c | 2 +- - t/t1300-config.sh | 11 +++++++++++ - t/t7450-bad-git-dotfiles.sh | 33 +++++++++++++++++++++++++++++++++ - 3 files changed, 45 insertions(+), 1 deletion(-) - -diff --git a/config.c b/config.c -index 9ff6ae1cb903a0..629981451d303b 100644 ---- a/config.c -+++ b/config.c -@@ -2999,7 +2999,7 @@ static ssize_t write_pair(int fd, const char *key, const char *value, - if (value[0] == ' ') - quote = "\""; - for (i = 0; value[i]; i++) -- if (value[i] == ';' || value[i] == '#') -+ if (value[i] == ';' || value[i] == '#' || value[i] == '\r') - quote = "\""; - if (i && value[i - 1] == ' ') - quote = "\""; -diff --git a/t/t1300-config.sh b/t/t1300-config.sh -index f4e27521344920..1010410b7e2926 100755 ---- a/t/t1300-config.sh -+++ b/t/t1300-config.sh -@@ -2590,4 +2590,15 @@ test_expect_success 'includeIf.hasconfig:remote.*.url forbids remote url in such - grep "fatal: remote URLs cannot be configured in file directly or indirectly included by includeIf.hasconfig:remote.*.url" err - ' - -+test_expect_success 'writing value with trailing CR not stripped on read' ' -+ test_when_finished "rm -rf cr-test" && -+ -+ printf "bar\r\n" >expect && -+ git init cr-test && -+ git -C cr-test config set core.foo $(printf "bar\r") && -+ git -C cr-test config get core.foo >actual && -+ -+ test_cmp expect actual -+' -+ - test_done -diff --git a/t/t7450-bad-git-dotfiles.sh b/t/t7450-bad-git-dotfiles.sh -index 5b845e899bf17c..20262855664a97 100755 ---- a/t/t7450-bad-git-dotfiles.sh -+++ b/t/t7450-bad-git-dotfiles.sh -@@ -347,4 +347,37 @@ test_expect_success 'checkout -f --recurse-submodules must not use a nested gitd - test_path_is_missing nested_checkout/thing2/.git - ' - -+test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into different directory' ' -+ test_when_finished "rm -rf sub repo bad-clone" && -+ -+ git init sub && -+ write_script sub/post-checkout <<-\EOF && -+ touch "$PWD/foo" -+ EOF -+ git -C sub add post-checkout && -+ git -C sub commit -m hook && -+ -+ git init repo && -+ git -C repo -c protocol.file.allow=always submodule add "$PWD/sub" sub && -+ git -C repo mv sub $(printf "sub\r") && -+ -+ # Ensure config values containing CR are wrapped in quotes. -+ git config unset -f repo/.gitmodules submodule.sub.path && -+ printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules && -+ -+ git config unset -f repo/.git/modules/sub/config core.worktree && -+ { -+ printf "[core]\n" && -+ printf "\tworktree = \"../../../sub\r\"\n" -+ } >>repo/.git/modules/sub/config && -+ -+ ln -s .git/modules/sub/hooks repo/sub && -+ git -C repo add -A && -+ git -C repo commit -m submodule && -+ -+ git -c protocol.file.allow=always clone --recurse-submodules repo bad-clone && -+ ! test -f "$PWD/foo" && -+ test -f $(printf "bad-clone/sub\r/post-checkout") -+' -+ - test_done diff --git a/download b/download index b1ff92e0fad7b7fef1538a7d817b13f8b6d07048..b159e6a8da9db71b8fde3200bf17b22cbe926e2a 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -fe1b6816eeda80a0ad1854afc7bbe3aa git-2.43.5.tar.sign -b2a0e95a31b41b8ed8ab5d543db823ad git-2.43.5.tar.xz +66cab65d45b821575004de9445e566e3 git-2.43.7.tar.sign +0f3a7e992c22f55fda6e5292f7a47032 git-2.43.7.tar.xz diff --git a/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch b/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch new file mode 100644 index 0000000000000000000000000000000000000000..df348b88785728b6f4c7f05d8b97b10be75b1b01 --- /dev/null +++ b/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch @@ -0,0 +1,59 @@ +From 428c9241c6918f52ac22fb8e83ce7c736a2f5e00 Mon Sep 17 00:00:00 2001 +From: Todd Zullinger +Date: Tue, 8 Jul 2025 17:05:27 -0400 +Subject: [PATCH] t: avoid git config syntax from newer releases + +In a recent security release, 05e9cd64ee (config: quote values +containing CR character, 2025-05-19) added calls to `git config get`, +`git config set`, and `git config unset` which are not present on the +maint-2.43 branch. + +These subcommands were added in the following commits, released in +git-2.46.0: + + 4e51389000 (builtin/config: introduce "get" subcommand, 2024-05-06), + 00bbdde141 (builtin/config: introduce "set" subcommand, 2024-05-06), + 95ea69c67b (builtin/config: introduce "unset" subcommand, 2024-05-06) + +Revert to the previous `git config` syntax for older maintenance +branches. + +Signed-off-by: Todd Zullinger +Signed-off-by: Junio C Hamano +--- + t/t1300-config.sh | 4 ++-- + t/t7450-bad-git-dotfiles.sh | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 1010410b7e2926..baf9b4823111d5 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -2595,8 +2595,8 @@ test_expect_success 'writing value with trailing CR not stripped on read' ' + + printf "bar\r\n" >expect && + git init cr-test && +- git -C cr-test config set core.foo $(printf "bar\r") && +- git -C cr-test config get core.foo >actual && ++ git -C cr-test config core.foo $(printf "bar\r") && ++ git -C cr-test config --get core.foo >actual && + + test_cmp expect actual + ' +diff --git a/t/t7450-bad-git-dotfiles.sh b/t/t7450-bad-git-dotfiles.sh +index 20262855664a97..d1546e3311b27f 100755 +--- a/t/t7450-bad-git-dotfiles.sh ++++ b/t/t7450-bad-git-dotfiles.sh +@@ -362,10 +362,10 @@ test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into d + git -C repo mv sub $(printf "sub\r") && + + # Ensure config values containing CR are wrapped in quotes. +- git config unset -f repo/.gitmodules submodule.sub.path && ++ git config --unset -f repo/.gitmodules submodule.sub.path && + printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules && + +- git config unset -f repo/.git/modules/sub/config core.worktree && ++ git config --unset -f repo/.git/modules/sub/config core.worktree && + { + printf "[core]\n" && + printf "\tworktree = \"../../../sub\r\"\n" diff --git a/git.spec b/git.spec index c883bd9f7edaf44f7a4d2a78e1fa00e9954b89e0..2f21e11c605f0275030b90c409f845085f1030ed 100644 --- a/git.spec +++ b/git.spec @@ -93,8 +93,8 @@ #global rcrev .rc0 Name: git -Version: 2.43.5 -Release: 3%{?rcrev}%{anolis_release}%{?dist} +Version: 2.43.7 +Release: 1%{?rcrev}%{anolis_release}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -150,7 +150,11 @@ Patch6: git-2.43.0-slow-shallow-clones.patch # # https://github.com/gitgitgadget/git/pull/1853 Patch7: git-2.43.5-sanitize-sideband-channel-messages.patch -Patch100: 0001-quote-values-containing-CR-character.patch + +# t: avoid git config syntax from newer releases +# +# https://github.com/git/git/commit/428c9241c6918f52ac22fb8e83ce7c736a2f5e00 +Patch8: git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch %if %{with docs} # pod2man is needed to build Git.3pm @@ -1125,10 +1129,13 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog -* Thu Jul 10 2025 Hong Wei Qin - 2.43.5-3.0.1 -- Fix CVE-2025-48384 +* Wed Jul 23 2025 Hong Wei Qin - 2.43.7-1.0.1 - Skip 7450.49 1300.220 5570.22 test +* Fri Jul 11 2025 Ondřej Pohořelský - 2.43.7-1 +- update to 2.43.7 +- Resolves: RHEL-102440, RHEL-102454, RHEL-102674, RHEL-102680 + * Fri Apr 04 2025 Ondřej Pohořelský - 2.43.5-3 - add the option to sanitize sideband channel messages - Resolves: RHEL-74177