CVS commit: [pkgsrc-2019Q3] pkgsrc/devel

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu Dec 12 11:50:51 UTC 2019

Modified Files:
        pkgsrc/devel/git [pkgsrc-2019Q3]: Makefile.version
        pkgsrc/devel/git-base [pkgsrc-2019Q3]: Makefile distinfo

Log Message:
Pullup ticket #6099 - requested by leot
devel/git: security fix (update to 2.23.1)

Via patch.

---
   Changes:
   2.23.1
   ======
   This release merges up the fixes that appear in v2.14.6, v2.15.4,
   v2.17.3, v2.20.2 and in v2.21.1, addressing the security issues
   CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
   CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, and
   CVE-2019-19604.

    * CVE-2019-1348:
      The --export-marks option of git fast-import is exposed also via
      the in-stream command feature export-marks=... and it allows
      overwriting arbitrary paths.

    * CVE-2019-1349:
      When submodules are cloned recursively, under certain circumstances
      Git could be fooled into using the same Git directory twice. We now
      require the directory to be empty.

    * CVE-2019-1350:
      Incorrect quoting of command-line arguments allowed remote code
      execution during a recursive clone in conjunction with SSH URLs.

    * CVE-2019-1351:
      While the only permitted drive letters for physical drives on
      Windows are letters of the US-English alphabet, this restriction
      does not apply to virtual drives assigned via subst <letter>:
      <path>. Git mistook such paths for relative paths, allowing writing
      outside of the worktree while cloning.

    * CVE-2019-1352:
      Git was unaware of NTFS Alternate Data Streams, allowing files
      inside the .git/ directory to be overwritten during a clone.

    * CVE-2019-1353:
      When running Git in the Windows Subsystem for Linux (also known as
      "WSL") while accessing a working directory on a regular Windows
      drive, none of the NTFS protections were active.

    * CVE-2019-1354:
      Filenames on Linux/Unix can contain backslashes. On Windows,
      backslashes are directory separators. Git did not use to refuse to
      write out tracked files with such filenames.

    * CVE-2019-1387:
      Recursive clones are currently affected by a vulnerability that is
      caused by too-lax validation of submodule names, allowing very
      targeted attacks via remote code execution in recursive clones.

   Credit for finding these vulnerabilities goes to Microsoft Security
   Response Center, in particular to Nicolas Joly. The `fast-import`
   fixes were provided by Jeff King, the other fixes by Johannes
   Schindelin with help from Garima Singh.

    * CVE-2019-19604:
      The change to disallow `submodule.<name>.update=!command` entries in
      `.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
      added explicit fsck checks) fixes the vulnerability in v2.20.x where
      a recursive clone followed by a submodule update could execute code
      contained within the repository without the user explicitly having
      asked for that.

   Credit for finding this vulnerability goes to Joern Schneeweisz,
   credit for the fixes goes to Jonathan Nieder.


To generate a diff of this commit:
cvs rdiff -u -r1.80 -r1.80.2.1 pkgsrc/devel/git/Makefile.version
cvs rdiff -u -r1.68 -r1.68.2.1 pkgsrc/devel/git-base/Makefile
cvs rdiff -u -r1.90 -r1.90.2.1 pkgsrc/devel/git-base/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/git/Makefile.version
diff -u pkgsrc/devel/git/Makefile.version:1.80 pkgsrc/devel/git/Makefile.version:1.80.2.1
--- pkgsrc/devel/git/Makefile.version:1.80      Tue Aug 20 13:00:02 2019
+++ pkgsrc/devel/git/Makefile.version   Thu Dec 12 11:50:51 2019
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.80 2019/08/20 13:00:02 adam Exp $
+# $NetBSD: Makefile.version,v 1.80.2.1 2019/12/12 11:50:51 bsiegert Exp $
 #
 # used by devel/git/Makefile.common
 # used by devel/git-cvs/Makefile
 # used by devel/git-svn/Makefile
 
-GIT_VERSION=   2.23.0
+GIT_VERSION=   2.23.1

Index: pkgsrc/devel/git-base/Makefile
diff -u pkgsrc/devel/git-base/Makefile:1.68 pkgsrc/devel/git-base/Makefile:1.68.2.1
--- pkgsrc/devel/git-base/Makefile:1.68 Thu Aug 22 12:23:00 2019
+++ pkgsrc/devel/git-base/Makefile      Thu Dec 12 11:50:51 2019
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.68 2019/08/22 12:23:00 ryoon Exp $
+# $NetBSD: Makefile,v 1.68.2.1 2019/12/12 11:50:51 bsiegert Exp $
 
-PKGREVISION= 1
 .include "../../devel/git/Makefile.common"
 
 PKGNAME=       git-base-${GIT_VERSION}

Index: pkgsrc/devel/git-base/distinfo
diff -u pkgsrc/devel/git-base/distinfo:1.90 pkgsrc/devel/git-base/distinfo:1.90.2.1
--- pkgsrc/devel/git-base/distinfo:1.90 Tue Aug 20 13:00:02 2019
+++ pkgsrc/devel/git-base/distinfo      Thu Dec 12 11:50:51 2019
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.90 2019/08/20 13:00:02 adam Exp $
+$NetBSD: distinfo,v 1.90.2.1 2019/12/12 11:50:51 bsiegert Exp $
 
-SHA1 (git-2.23.0.tar.xz) = fc627f8cb994c60ae6c4580ca514af2a18c464d7
-RMD160 (git-2.23.0.tar.xz) = fc260e2f2e762f0156ba0639853d8708cffe5b38
-SHA512 (git-2.23.0.tar.xz) = c0bb29b3689ec2e157f90df849599ca149a08fc0c69f6a68b1f3219b6335d521983e6ed58cd364b86398e4dcf9e84892fb9eded79a1c97b74150edca299cf671
-Size (git-2.23.0.tar.xz) = 5707148 bytes
+SHA1 (git-2.23.1.tar.xz) = 1930a8df36a193a7b5792b47ef3a904217b55bd9
+RMD160 (git-2.23.1.tar.xz) = 03e9b6d68114517d81412f4674fe46d8a7818df0
+SHA512 (git-2.23.1.tar.xz) = 708f8b9a7c65c1c9d3117b1b7ee9383044b66fe8a5c168a52ba561985670f659d514aa34988ea8ba85c127da6a23c39c511919a6d661bffc9cf782e30fd62373
+Size (git-2.23.1.tar.xz) = 5713672 bytes
 SHA1 (patch-Makefile) = 73741b9d9a1b32bb47db48a7c546c4ff10fb41d6
 SHA1 (patch-ac) = e5d2112d158fe493a89b244a10d2e4b998a23d98
 SHA1 (patch-af) = 06460f220b4703a1ff98809006ec1aed5017bb23