pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2022Q4] pkgsrc/devel
Module Name: pkgsrc
Committed By: bsiegert
Date: Mon Jan 30 13:50:14 UTC 2023
Modified Files:
pkgsrc/devel/git [pkgsrc-2022Q4]: Makefile.version
pkgsrc/devel/git-base [pkgsrc-2022Q4]: distinfo
Log Message:
Pullup ticket #6727 - requested by otis
devel/git: security fix
Revisions pulled up:
- devel/git-base/distinfo 1.130
- devel/git/Makefile.version 1.114
---
Module Name: pkgsrc
Committed By: otis
Date: Wed Jan 18 15:44:25 UTC 2023
Modified Files:
pkgsrc/devel/git: Makefile.version
pkgsrc/devel/git-base: distinfo
Log Message:
Git 2.39.1 release notes
========================
This maintenance releass is to address the security issues
identified as CVE-2022-41903 and CVE-2022-23521.
* CVE-2022-41903:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(,
%>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
* CVE-2022-23521:
gitattributes are a mechanism to allow defining attributes for
paths. These attributes can be defined by adding a `.gitattributes`
file to the repository, which contains a set of file patterns and
the attributes that should be set for paths matching this pattern.
When parsing gitattributes, multiple integer overflows can occur
when there is a huge number of path patterns, a huge number of
attributes for a single pattern, or when the declared attribute
names are huge.
These overflows can be triggered via a crafted `.gitattributes` file
that may be part of the commit history. Git silently splits lines
longer than 2KB when parsing gitattributes from a file, but not when
parsing them from the index. Consequentially, the failure mode
depends on whether the file exists in the working tree, the index or
both.
This integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution.
Full release notes can be found at:
https://github.com/git/git/blob/master/Documentation/RelNotes/2.39.1.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.30.7.txt
To generate a diff of this commit:
cvs rdiff -u -r1.113 -r1.113.2.1 pkgsrc/devel/git/Makefile.version
cvs rdiff -u -r1.129 -r1.129.2.1 pkgsrc/devel/git-base/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/devel/git/Makefile.version
diff -u pkgsrc/devel/git/Makefile.version:1.113 pkgsrc/devel/git/Makefile.version:1.113.2.1
--- pkgsrc/devel/git/Makefile.version:1.113 Mon Dec 19 10:04:34 2022
+++ pkgsrc/devel/git/Makefile.version Mon Jan 30 13:50:14 2023
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.113 2022/12/19 10:04:34 adam Exp $
+# $NetBSD: Makefile.version,v 1.113.2.1 2023/01/30 13:50:14 bsiegert Exp $
#
# used by devel/git/Makefile.common
# used by devel/git-cvs/Makefile
# used by devel/git-svn/Makefile
-GIT_VERSION= 2.39.0
+GIT_VERSION= 2.39.1
Index: pkgsrc/devel/git-base/distinfo
diff -u pkgsrc/devel/git-base/distinfo:1.129 pkgsrc/devel/git-base/distinfo:1.129.2.1
--- pkgsrc/devel/git-base/distinfo:1.129 Mon Dec 19 10:04:34 2022
+++ pkgsrc/devel/git-base/distinfo Mon Jan 30 13:50:14 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.129 2022/12/19 10:04:34 adam Exp $
+$NetBSD: distinfo,v 1.129.2.1 2023/01/30 13:50:14 bsiegert Exp $
-BLAKE2s (git-2.39.0.tar.xz) = 2ac4066180bc7aa3e9dda398faa5a1eba0bbaa814b403c48b1dedda6d7c1e8fa
-SHA512 (git-2.39.0.tar.xz) = f072cae7738279b1c0f8202e83a243ff0164b03d3be22895aa875caa265150a5773e1f062724b3eb82bc64b163730b6f451b82fa0c904167a8fa53ced5d3b1df
-Size (git-2.39.0.tar.xz) = 7157548 bytes
+BLAKE2s (git-2.39.1.tar.xz) = e63ae37df4ef801612377a04509ea10e1bc8fe08f3690c70369f3ed345355360
+SHA512 (git-2.39.1.tar.xz) = b1821a814947f01adf98206a7e9a01da9daa617b1192e8ef6968b05af8d874f028fb26b5f828a9c48f734ef2c276f4d23bdc898ba46fb7aaa96dbe68081037e9
+Size (git-2.39.1.tar.xz) = 7160744 bytes
SHA1 (patch-Documentation_Makefile) = 6025adac0fbb4b403f3954e6dac9d690dfb22daa
SHA1 (patch-Makefile) = 683a2fdf69c3cb5814fcc59360be2eba91cb88a7
SHA1 (patch-config.mak.uname) = 5316873147acf5b6ef29e426946280bb6441c886
Home |
Main Index |
Thread Index |
Old Index