Hello community, here is the log from the commit of package git for openSUSE:Factory checked in at 2020-04-19 21:35:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/git (Old) and /work/SRC/openSUSE:Factory/.git.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git" Sun Apr 19 21:35:26 2020 rev:247 rq:795368 version:2.26.1 Changes: -------- --- /work/SRC/openSUSE:Factory/git/git.changes 2020-04-04 12:16:21.939456253 +0200 +++ /work/SRC/openSUSE:Factory/.git.new.2738/git.changes 2020-04-19 21:35:32.738402061 +0200 @@ -1,0 +2,14 @@ +Fri Apr 17 17:56:32 UTC 2020 - Michal Suchanek <[email protected]> + +- Fix git-daemon not starting after conversion from sysvinit to systemd service + (bsc#1169605). + +------------------------------------------------------------------- +Tue Apr 14 18:32:57 UTC 2020 - Andreas Stieger <[email protected]> + +- git 2.26.1: + * CVE-2020-5260: Specially crafted URLs with newline characters + could have been used to make the Git client to send credential + information for a wrong host to the attacker's site boo#1168930 + +------------------------------------------------------------------- Old: ---- git-2.26.0.tar.sign git-2.26.0.tar.xz New: ---- git-2.26.1.tar.sign git-2.26.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.Hn1zNZ/_old 2020-04-19 21:35:33.462403555 +0200 +++ /var/tmp/diff_new_pack.Hn1zNZ/_new 2020-04-19 21:35:33.462403555 +0200 @@ -32,7 +32,7 @@ %endif Name: git -Version: 2.26.0 +Version: 2.26.1 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0-only ++++++ git-2.26.0.tar.xz -> git-2.26.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.17.4.txt new/git-2.26.1/Documentation/RelNotes/2.17.4.txt --- old/git-2.26.0/Documentation/RelNotes/2.17.4.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.17.4.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,16 @@ +Git v2.17.4 Release Notes +========================= + +This release is to address the security issue: CVE-2020-5260 + +Fixes since v2.17.3 +------------------- + + * With a crafted URL that contains a newline in it, the credential + helper machinery can be fooled to give credential information for + a wrong host. The attack has been made impossible by forbidding + a newline character in any value passed via the credential + protocol. + +Credit for finding the vulnerability goes to Felix Wilhelm of Google +Project Zero. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.18.3.txt new/git-2.26.1/Documentation/RelNotes/2.18.3.txt --- old/git-2.26.0/Documentation/RelNotes/2.18.3.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.18.3.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.18.3 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.19.4.txt new/git-2.26.1/Documentation/RelNotes/2.19.4.txt --- old/git-2.26.0/Documentation/RelNotes/2.19.4.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.19.4.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.19.4 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.20.3.txt new/git-2.26.1/Documentation/RelNotes/2.20.3.txt --- old/git-2.26.0/Documentation/RelNotes/2.20.3.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.20.3.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.20.3 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.21.2.txt new/git-2.26.1/Documentation/RelNotes/2.21.2.txt --- old/git-2.26.0/Documentation/RelNotes/2.21.2.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.21.2.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.21.2 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.22.3.txt new/git-2.26.1/Documentation/RelNotes/2.22.3.txt --- old/git-2.26.0/Documentation/RelNotes/2.22.3.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.22.3.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.22.3 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.23.2.txt new/git-2.26.1/Documentation/RelNotes/2.23.2.txt --- old/git-2.26.0/Documentation/RelNotes/2.23.2.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.23.2.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.23.2 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.24.2.txt new/git-2.26.1/Documentation/RelNotes/2.24.2.txt --- old/git-2.26.0/Documentation/RelNotes/2.24.2.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.24.2.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.24.2 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.25.3.txt new/git-2.26.1/Documentation/RelNotes/2.25.3.txt --- old/git-2.26.0/Documentation/RelNotes/2.25.3.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.25.3.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.25.3 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/Documentation/RelNotes/2.26.1.txt new/git-2.26.1/Documentation/RelNotes/2.26.1.txt --- old/git-2.26.0/Documentation/RelNotes/2.26.1.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.26.1/Documentation/RelNotes/2.26.1.txt 2020-04-14 03:51:03.000000000 +0200 @@ -0,0 +1,5 @@ +Git v2.26.1 Release Notes +========================= + +This release merges the security fix that appears in v2.17.4; see +the release notes for that version for details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/GIT-VERSION-GEN new/git-2.26.1/GIT-VERSION-GEN --- old/git-2.26.0/GIT-VERSION-GEN 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/GIT-VERSION-GEN 2020-04-14 03:51:03.000000000 +0200 @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.26.0 +DEF_VER=v2.26.1 LF=' ' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/RelNotes new/git-2.26.1/RelNotes --- old/git-2.26.0/RelNotes 2020-04-19 21:35:34.778406269 +0200 +++ new/git-2.26.1/RelNotes 2020-04-19 21:35:34.786406285 +0200 @@ -1 +1 @@ -symbolic link to Documentation/RelNotes/2.26.0.txt +symbolic link to Documentation/RelNotes/2.26.1.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/configure new/git-2.26.1/configure --- old/git-2.26.0/configure 2020-03-23 01:19:48.000000000 +0100 +++ new/git-2.26.1/configure 2020-04-14 03:51:03.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for git 2.26.0. +# Generated by GNU Autoconf 2.69 for git 2.26.1. # # Report bugs to <[email protected]>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='git' PACKAGE_TARNAME='git' -PACKAGE_VERSION='2.26.0' -PACKAGE_STRING='git 2.26.0' +PACKAGE_VERSION='2.26.1' +PACKAGE_STRING='git 2.26.1' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1265,7 +1265,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures git 2.26.0 to adapt to many kinds of systems. +\`configure' configures git 2.26.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1327,7 +1327,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of git 2.26.0:";; + short | recursive ) echo "Configuration of git 2.26.1:";; esac cat <<\_ACEOF @@ -1472,7 +1472,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -git configure 2.26.0 +git configure 2.26.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1952,7 +1952,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by git $as_me 2.26.0, which was +It was created by git $as_me 2.26.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -8360,7 +8360,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by git $as_me 2.26.0, which was +This file was extended by git $as_me 2.26.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8417,7 +8417,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -git config.status 2.26.0 +git config.status 2.26.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/credential.c new/git-2.26.1/credential.c --- old/git-2.26.0/credential.c 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/credential.c 2020-04-14 03:51:03.000000000 +0200 @@ -226,6 +226,8 @@ { if (!value) return; + if (strchr(value, '\n')) + die("credential value for %s contains newline", key); fprintf(fp, "%s=%s\n", key, value); } @@ -353,7 +355,22 @@ c->approved = 0; } -void credential_from_url(struct credential *c, const char *url) +static int check_url_component(const char *url, int quiet, + const char *name, const char *value) +{ + if (!value) + return 0; + if (!strchr(value, '\n')) + return 0; + + if (!quiet) + warning(_("url contains a newline in its %s component: %s"), + name, url); + return -1; +} + +int credential_from_url_gently(struct credential *c, const char *url, + int quiet) { const char *at, *colon, *cp, *slash, *host, *proto_end; @@ -367,7 +384,7 @@ */ proto_end = strstr(url, "://"); if (!proto_end) - return; + return 0; cp = proto_end + 3; at = strchr(cp, '@'); colon = strchr(cp, ':'); @@ -406,4 +423,21 @@ while (p > c->path && *p == '/') *p-- = '\0'; } + + if (check_url_component(url, quiet, "username", c->username) < 0 || + check_url_component(url, quiet, "password", c->password) < 0 || + check_url_component(url, quiet, "protocol", c->protocol) < 0 || + check_url_component(url, quiet, "host", c->host) < 0 || + check_url_component(url, quiet, "path", c->path) < 0) + return -1; + + return 0; +} + +void credential_from_url(struct credential *c, const char *url) +{ + if (credential_from_url_gently(c, url, 0) < 0) { + warning(_("skipping credential lookup for url: %s"), url); + credential_clear(c); + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/credential.h new/git-2.26.1/credential.h --- old/git-2.26.0/credential.h 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/credential.h 2020-04-14 03:51:03.000000000 +0200 @@ -173,8 +173,21 @@ int credential_read(struct credential *, FILE *); void credential_write(const struct credential *, FILE *); -/* Parse a URL into broken-down credential fields. */ +/* + * Parse a url into a credential struct, replacing any existing contents. + * + * If the url can't be parsed (e.g., a missing "proto://" component), the + * resulting credential will be empty but we'll still return success from the + * "gently" form. + * + * If we encounter a component which cannot be represented as a credential + * value (e.g., because it contains a newline), the "gently" form will return + * an error but leave the broken state in the credential object for further + * examination. The non-gentle form will issue a warning to stderr and return + * an empty credential. + */ void credential_from_url(struct credential *, const char *url); +int credential_from_url_gently(struct credential *, const char *url, int quiet); int credential_match(const struct credential *have, const struct credential *want); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/fsck.c new/git-2.26.1/fsck.c --- old/git-2.26.0/fsck.c 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/fsck.c 2020-04-14 03:51:03.000000000 +0200 @@ -15,6 +15,7 @@ #include "packfile.h" #include "submodule-config.h" #include "config.h" +#include "credential.h" #include "help.h" static struct oidset gitmodules_found = OIDSET_INIT; @@ -910,6 +911,19 @@ return ret; } +static int check_submodule_url(const char *url) +{ + struct credential c = CREDENTIAL_INIT; + int ret; + + if (looks_like_command_line_option(url)) + return -1; + + ret = credential_from_url_gently(&c, url, 1); + credential_clear(&c); + return ret; +} + struct fsck_gitmodules_data { const struct object_id *oid; struct fsck_options *options; @@ -935,7 +949,7 @@ "disallowed submodule name: %s", name); if (!strcmp(key, "url") && value && - looks_like_command_line_option(value)) + check_submodule_url(value) < 0) data->ret |= report(data->options, data->oid, OBJ_BLOB, FSCK_MSG_GITMODULES_URL, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/t/lib-credential.sh new/git-2.26.1/t/lib-credential.sh --- old/git-2.26.0/t/lib-credential.sh 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/t/lib-credential.sh 2020-04-14 03:51:03.000000000 +0200 @@ -19,7 +19,7 @@ false fi && test_cmp expect-stdout stdout && - test_cmp expect-stderr stderr + test_i18ncmp expect-stderr stderr } read_chunk() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/t/t0300-credentials.sh new/git-2.26.1/t/t0300-credentials.sh --- old/git-2.26.0/t/t0300-credentials.sh 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/t/t0300-credentials.sh 2020-04-14 03:51:03.000000000 +0200 @@ -436,4 +436,18 @@ EOF ' +test_expect_success 'url parser ignores embedded newlines' ' + check fill <<-EOF + url=https://one.example.com?%0ahost=two.example.com/ + -- + username=askpass-username + password=askpass-password + -- + warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/ + warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/ + askpass: Username: + askpass: Password: + EOF +' + test_done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/t/t7416-submodule-dash-url.sh new/git-2.26.1/t/t7416-submodule-dash-url.sh --- old/git-2.26.0/t/t7416-submodule-dash-url.sh 2020-03-23 01:19:47.000000000 +0100 +++ new/git-2.26.1/t/t7416-submodule-dash-url.sh 2020-04-14 03:51:03.000000000 +0200 @@ -1,6 +1,6 @@ #!/bin/sh -test_description='check handling of .gitmodule url with dash' +test_description='check handling of disallowed .gitmodule urls' . ./test-lib.sh test_expect_success 'create submodule with protected dash in url' ' @@ -60,4 +60,20 @@ test_i18ngrep ! "unknown option" err ' +test_expect_success 'fsck rejects embedded newline in url' ' + # create an orphan branch to avoid existing .gitmodules objects + git checkout --orphan newline && + cat >.gitmodules <<-\EOF && + [submodule "foo"] + url = "https://one.example.com?%0ahost=two.example.com/foo.git"; + EOF + git add .gitmodules && + git commit -m "gitmodules with newline" && + test_when_finished "rm -rf dst" && + git init --bare dst && + git -C dst config transfer.fsckObjects true && + test_must_fail git push dst HEAD 2>err && + grep gitmodulesUrl err +' + test_done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.26.0/version new/git-2.26.1/version --- old/git-2.26.0/version 2020-03-23 01:19:48.000000000 +0100 +++ new/git-2.26.1/version 2020-04-14 03:51:03.000000000 +0200 @@ -1 +1 @@ -2.26.0 +2.26.1 ++++++ git-daemon.service ++++++ --- /var/tmp/diff_new_pack.Hn1zNZ/_old 2020-04-19 21:35:35.154407044 +0200 +++ /var/tmp/diff_new_pack.Hn1zNZ/_new 2020-04-19 21:35:35.154407044 +0200 @@ -3,7 +3,7 @@ [Service] EnvironmentFile=-/etc/sysconfig/git-daemon -ExecStart=/bin/sh -c 'exec git daemon --reuseaddr --base-path=${GIT_DAEMON_BASE_PATH:-/srv/git/} --user=${GIT_DAEMON_USER:-git-daemon} --group=${GIT_DAEMON_GROUP:-nogroup} $GIT_DAEMON_ARGS' +ExecStart=/bin/bash -c 'exec git daemon --reuseaddr --base-path=$${GIT_DAEMON_BASE_PATH:-/srv/git/} --user=$${GIT_DAEMON_USER:-git-daemon} --group=$${GIT_DAEMON_GROUP:-nogroup} $GIT_DAEMON_ARGS' Restart=always RestartSec=500ms
