pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/devel/py-dulwich
Module Name: pkgsrc
Committed By: adam
Date: Fri May 29 10:17:51 UTC 2026
Modified Files:
pkgsrc/devel/py-dulwich: Makefile distinfo
Log Message:
py-dulwich: updated to 1.2.5
1.2.5 2026-05-28
* SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in
``porcelain.submodule_update`` (and thus
``porcelain.clone(recurse_submodules=True)``). A crafted upstream
repository could carry a submodule whose path was ``.git/hooks`` (or
any other path inside ``.git`` or above the work tree), causing the
submodule's tree contents to be written there with their executable
bits intact -- dropping a hook that later commands would run. Submodule
paths are now rejected if they are absolute or carry a component that
the configured path validator refuses, and the submodule's own tree is
materialized with the same validator. This is the dulwich analogue of git's
CVE-2024-32002 / CVE-2024-32004.
(Jelmer Vernooij; reported by tonghuaroot)
* SECURITY(CVE-2026-42305): Harden tree path validation against entry
names that are harmless on POSIX but dangerous when checked out on
Windows. A crafted tree could previously carry such names through to
the work tree. ``validate_path_element_ntfs`` now also rejects:
- Windows path separators, so an entry named
``.git\hooks\pre-commit.exe`` can no longer materialize a file
inside ``.git`` that Git for Windows would execute.
- The alternate data stream marker ``:`` (e.g.
``.git::$INDEX_ALLOCATION``, which writes into ``.git`` directly).
- NTFS 8.3 short-name aliases of ``.git`` (``git~<digits>``); only
``git~1`` was rejected before.
- Reserved Windows device names (``CON``, ``PRN``, ``AUX``, ``NUL``,
``COM1``-``COM9``, ``LPT1``-``LPT9``), including with an extension or
trailing dots/spaces such as ``NUL.txt`` or ``COM1 .bar``.
In addition, ``core.protectNTFS`` now defaults to true on every
platform (matching git after CVE-2019-1353), so a POSIX clone no longer
accepts paths that would be unsafe on a later Windows clone, and both
``core.protectNTFS`` and ``core.protectHFS`` are now read under their
correct option names, having previously been silently ignored. POSIX
users who need literal NTFS-unsafe filenames can opt out with
``core.protectNTFS=false``.
(Jelmer Vernooij; reported by Christopher Toth)
* SECURITY (CVE-2026-42563): Shell-quote values substituted into
``ProcessMergeDriver`` commands. ``%P`` is a path from the git
tree, so a malicious branch could inject shell commands when the
user had a merge driver configured that referenced ``%P``.
(Jelmer Vernooij; reported by Ravishanker Kusuma (hayageek))
* SECURITY(CVE-2026-47712): Sanitize commit subjects used in
``porcelain.format_patch`` filenames so a malicious subject (e.g.
``x/../../x``) cannot direct the generated patch outside ``outdir``.
``get_summary`` now matches git's ``format_sanitized_subject``.
(Jelmer Vernooij; reported by Christopher Toth)
* SECURITY: Honour ``receive.maxInputSize`` in
``ReceivePackHandler``. Previously a remote unauthenticated client
could send a tiny crafted pack (~174 bytes) that declared a huge
``dest_size`` in its delta header and trigger hundreds of MB of
allocation in ``apply_delta`` / ``add_thin_pack``, exhausting
server memory over ``git-receive-pack``. ``add_thin_pack`` now
accepts a ``max_input_size`` keyword (in bytes, ``0`` / ``None`` =
unlimited, matching git's semantics) and ``ReceivePackHandler``
reads ``receive.maxInputSize`` from the repository config and
passes it through. Exceeding the cap raises ``PackInputTooLarge``.
(Jelmer Vernooij; Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney)
To generate a diff of this commit:
cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/py-dulwich/Makefile
cvs rdiff -u -r1.75 -r1.76 pkgsrc/devel/py-dulwich/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/devel/py-dulwich/Makefile
diff -u pkgsrc/devel/py-dulwich/Makefile:1.80 pkgsrc/devel/py-dulwich/Makefile:1.81
--- pkgsrc/devel/py-dulwich/Makefile:1.80 Mon May 25 10:14:34 2026
+++ pkgsrc/devel/py-dulwich/Makefile Fri May 29 10:17:51 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.80 2026/05/25 10:14:34 adam Exp $
+# $NetBSD: Makefile,v 1.81 2026/05/29 10:17:51 adam Exp $
-DISTNAME= dulwich-1.2.4
+DISTNAME= dulwich-1.2.5
PKGNAME= ${PYPKGPREFIX}-${DISTNAME}
CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_PYPI:=d/dulwich/}
Index: pkgsrc/devel/py-dulwich/distinfo
diff -u pkgsrc/devel/py-dulwich/distinfo:1.75 pkgsrc/devel/py-dulwich/distinfo:1.76
--- pkgsrc/devel/py-dulwich/distinfo:1.75 Mon May 25 10:14:34 2026
+++ pkgsrc/devel/py-dulwich/distinfo Fri May 29 10:17:51 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.75 2026/05/25 10:14:34 adam Exp $
+$NetBSD: distinfo,v 1.76 2026/05/29 10:17:51 adam Exp $
BLAKE2s (bstr-1.12.1.crate) = bf738250e22e04ffa6d9ae59e16bec4997bc7307983bb39e1672cea8cba81d6f
SHA512 (bstr-1.12.1.crate) = 63a1e62d43c4dce00f287421b1ec76accbbab7f0897c8df26227f533af325896c0c8921a873f4125381e7b89fbb69a4358a96698ec6ee61191955464ff1c84ac
Size (bstr-1.12.1.crate) = 354916 bytes
-BLAKE2s (dulwich-1.2.4.tar.gz) = 72f78576b1b1a927bcddc158fdaba88b12ed329ab5b40fefdef84c5c29f46717
-SHA512 (dulwich-1.2.4.tar.gz) = 2e0679cd0267ae2857a254a1b750ca861eaf2b313611d739b0e894e293d6c09a41ca81fbb444ce4a07db83249840b67deb26fb52a51821b7f91f57e189db1a4c
-Size (dulwich-1.2.4.tar.gz) = 1243653 bytes
+BLAKE2s (dulwich-1.2.5.tar.gz) = a7866afef015c15ae8e885263b018eed2c03c3ac2a6d493dd65c8fa4142032e9
+SHA512 (dulwich-1.2.5.tar.gz) = 60a4bded1e8cb8cbb3139b74fdc3f0610398cd41337b3076728e3b9b9977416731149b7945ca8422c43c0c426870efc609dae3a1008083478edcec5df4e6232a
+Size (dulwich-1.2.5.tar.gz) = 1253230 bytes
BLAKE2s (heck-0.5.0.crate) = 0bc71a5746c9d1e7c913d096fb68f1d422464744e18adc592540b291882f5660
SHA512 (heck-0.5.0.crate) = f044fc9c3d22466629fd8f772ec0555350fd611c0cfadca51d99a3d2f10e155f77c1091916c8a95a6b9b499f366c2e99a5fbf45b010f988bfb9b2501bf9f6a76
Size (heck-0.5.0.crate) = 11517 bytes
Home |
Main Index |
Thread Index |
Old Index