ping > -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of Tim Orling > Sent: Tuesday, October 25, 2022 4:09 AM > To: [email protected] > Cc: Tim Orling <[email protected]> > Subject: [OE-core] [langdale][PATCH] git: upgrade 2.37.3 -> 2.37.4 > > https://raw.githubusercontent.com/git/git/master/Documentation/RelNote > s/2.37.4.txt > > Git 2.37.4 Release Notes > ======================== > > This primarily is to backport various fixes accumulated on the 'master' > front since 2.37.3, and also includes the same security fixes as in v2.30.6. > > Fixes since v2.37.3 > ------------------- > > * CVE-2022-39253: > When relying on the `--local` clone optimization, Git dereferences > symbolic links in the source repository before creating hardlinks > (or copies) of the dereferenced link in the destination repository. > This can lead to surprising behavior where arbitrary files are > present in a repository's `$GIT_DIR` when cloning from a malicious > repository. > > Git will no longer dereference symbolic links via the `--local` > clone mechanism, and will instead refuse to clone repositories that > have symbolic links present in the `$GIT_DIR/objects` directory. > > Additionally, the value of `protocol.file.allow` is changed to be > "user" by default. > > Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. > The fix was authored by Taylor Blau, with help from Johannes > Schindelin. > > * CVE-2022-39260: > An overly-long command string given to `git shell` can result in > overflow in `split_cmdline()`, leading to arbitrary heap writes and > remote code execution when `git shell` is exposed and the directory > `$HOME/git-shell-commands` exists. > > `git shell` is taught to refuse interactive commands that are > longer than 4MiB in size. `split_cmdline()` is hardened to reject > inputs larger than 2GiB. > > Credit for finding CVE-2022-39260 goes to Kevin Backhouse of > GitHub. The fix was authored by Kevin Backhouse, Jeff King, and > Taylor Blau. > > * An earlier optimization discarded a tree-object buffer that is > still in use, which has been corrected. > > * Fix deadlocks between main Git process and subprocess spawned via > the pipe_command() API, that can kill "git add -p" that was > reimplemented in C recently. > > * xcalloc(), imitating calloc(), takes "number of elements of the > array", and "size of a single element", in this order. A call that > does not follow this ordering has been corrected. > > * The preload-index codepath made copies of pathspec to give to > multiple threads, which were left leaked. > > * Update the version of Ubuntu used for GitHub Actions CI from 18.04 > to 22.04. > > * The auto-stashed local changes created by "git merge --autostash" > was mixed into a conflicted state left in the working tree, which > has been corrected. > > Also contains other minor documentation updates and code clean-ups. > > Signed-off-by: Tim Orling <[email protected]> > --- > meta/recipes-devtools/git/{git_2.37.3.bb => git_2.37.4.bb} | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes- > devtools/git/{git_2.37.3.bb => git_2.37.4.bb} (98%) > > diff --git a/meta/recipes-devtools/git/git_2.37.3.bb b/meta/recipes- > devtools/git/git_2.37.4.bb > similarity index 98% > rename from meta/recipes-devtools/git/git_2.37.3.bb > rename to meta/recipes-devtools/git/git_2.37.4.bb > index 2eed85e807f..2205a50d160 100644 > --- a/meta/recipes-devtools/git/git_2.37.3.bb > +++ b/meta/recipes-devtools/git/git_2.37.4.bb > @@ -165,4 +165,4 @@ EXTRA_OECONF += > "ac_cv_snprintf_returns_bogus=no \ > " > EXTRA_OEMAKE += "NO_GETTEXT=1" > > -SRC_URI[tarball.sha256sum] = > "181f65587155ea48c682f63135678ec53055adf1532428752912d356e46b64a8" > +SRC_URI[tarball.sha256sum] = > "a638c9bf9e45e8d48592076266adaa9b7aa272a99ee2aee2e166a649a9ba8a03" > -- > 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173669): https://lists.openembedded.org/g/openembedded-core/message/173669 Mute This Topic: https://lists.openembedded.org/mt/94543857/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
