Bug#776839: unblock: libgit2/0.21.3-1.1
On 17 February 2015 at 09:26, Mehdi Dogguy wrote: > Thanks for your work and sorry for not getting back to you sooner. The > patch > looks okay. Please go ahead and upload 0.21.1-3 to Jessie and notify us as > soon as it gets accepted. > Ok, it has been uploaded and accepted https://packages.qa.debian.org/libg/libgit2/news/20150222T113335Z.html Thanks! -- Cheers, Russell Sim
Bug#776839: unblock: libgit2/0.21.3-1.1
Tags: + confirmed On Thu, Feb 12, 2015 at 09:49:34PM +1100, Russell Sim wrote: > On 11 February 2015 at 23:24, Russell Sim wrote: > > > On 9 February 2015 at 09:36, Mehdi Dogguy wrote: > > > >> I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are > >> quite large. Can you please prepare an upload targetting jessie based on > >> 0.21.1-2.1? > >> > > > > > > Thanks for looking at this. I have created a patch that backport the > > relevant changes to the 0.21.1-2.1 > > > I have reduced the patch removing any Win32 parts. > Thanks for your work and sorry for not getting back to you sooner. The patch looks okay. Please go ahead and upload 0.21.1-3 to Jessie and notify us as soon as it gets accepted. Cheers. -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#776839: unblock: libgit2/0.21.3-1.1
On 11 February 2015 at 23:24, Russell Sim wrote: > On 9 February 2015 at 09:36, Mehdi Dogguy wrote: > >> I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are >> quite large. Can you please prepare an upload targetting jessie based on >> 0.21.1-2.1? >> > > > Thanks for looking at this. I have created a patch that backport the > relevant changes to the 0.21.1-2.1 I have reduced the patch removing any Win32 parts. -- Cheers, Russell Sim diff -Nru libgit2-0.21.1/debian/changelog libgit2-0.21.1/debian/changelog --- libgit2-0.21.1/debian/changelog 2015-01-09 09:51:34.0 +1100 +++ libgit2-0.21.1/debian/changelog 2015-02-12 20:06:00.0 +1100 @@ -1,3 +1,10 @@ +libgit2 (0.21.1-3) jessie; urgency=medium + + * Backported fix for case insensitive filesystems (CVE-2014-9390). +(Closes: #774048) + + -- Russell Sim Tue, 10 Feb 2015 20:29:05 +1100 + libgit2 (0.21.1-2.1) jessie; urgency=medium * Non-maintainer upload. diff -Nru libgit2-0.21.1/debian/patches/CVE-2014-9390.patch libgit2-0.21.1/debian/patches/CVE-2014-9390.patch --- libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 1970-01-01 10:00:00.0 +1000 +++ libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 2015-02-12 20:06:00.0 +1100 @@ -0,0 +1,1479 @@ +commit a86d224d78a3ac0f8a1901b0e9e2aee1e15d6f73 +Author: Edward Thomson +Date: Thu Dec 18 12:41:59 2014 -0600 + +index tests: test capitalization before mkdir + +commit 86b9eb3bf5dba342d0a5d805e6fe35c3e9c861cc +Author: Carlos Martín Nieto +Date: Thu Dec 18 02:11:06 2014 +0100 + +Plug leaks + +commit 07164371d10109ba564835947a62fcedf288dce9 +Author: Carlos Martín Nieto +Date: Thu Dec 18 02:07:36 2014 +0100 + +Create miscapitialised dirs for case-sensitive filesystems + +We need these directories to exist so cl_git_mkfile() can create the +files we ask it to. + +commit 5d5d6136aaeea22903ed5d30a858f8d106876771 +Author: Edward Thomson +Date: Tue Dec 16 18:53:55 2014 -0600 + +Introduce core.protectHFS and core.protectNTFS + +Validate HFS ignored char ".git" paths when `core.protectHFS` is +specified. Validate NTFS invalid ".git" paths when `core.protectNTFS` +is specified. + +commit 2698e209d895856df9900899948269e2e490abd3 +Author: Vicent Marti +Date: Tue Dec 16 13:03:02 2014 +0100 + +path: Use UTF8 iteration for HFS chars + +commit d7026dc574b79723008bba72989f74a801f4dfb5 +Author: Edward Thomson +Date: Wed Dec 10 19:12:16 2014 -0500 + +checkout: disallow bad paths on HFS + +HFS filesystems ignore some characters like U+200C. When these +characters are included in a path, they will be ignored for the +purposes of comparison with other paths. Thus, if you have a ".git" +folder, a folder of ".git" will also match. Protect our +".git" folder by ensuring that ".git" and friends do not match it. + +commit 37221f8cb02554297710f703047711a61e1169bb +Author: Edward Thomson +Date: Tue Nov 25 18:13:00 2014 -0500 + +checkout: disallow bad paths on win32 + +Disallow: + 1. paths with trailing dot + 2. paths with trailing space + 3. paths with trailing colon + 4. paths that are 8.3 short names of .git folders ("GIT~1") + 5. paths that are reserved path names (COM1, LPT1, etc). + 6. paths with reserved DOS characters (colons, asterisks, etc) + +These paths would (without \\?\ syntax) be elided to other paths - for +example, ".git." would be written as ".git". As a result, writing these +paths literally (using \\?\ syntax) makes them hard to operate with from +the shell, Windows Explorer or other tools. Disallow these. + +commit cb6a309d8667310d3323f5b601a2f2fa893c37d0 +Author: Vicent Marti +Date: Tue Nov 25 00:58:03 2014 +0100 + +index: Check for valid paths before creating an index entry + +commit 928a41d189f068010a32c6dea4bf921baa81d21c +Author: Vicent Marti +Date: Tue Nov 25 00:14:52 2014 +0100 + +tree: Check for `.git` with case insensitivy + +commit f45baf7a94a75cfb1855c9a750f38bbcfa22b199 +Author: Edward Thomson +Date: Mon Dec 1 13:09:58 2014 -0500 + +win32: use NT-prefixed "\\?\" paths + +When turning UTF-8 paths into UCS-2 paths for Windows, always use +the \\?\-prefixed paths. Because this bypasses the system's +path canonicalization, handle the canonicalization functions ourselves. + +We must: + 1. always use a backslash as a directory separator + 2. only use a single backslash between directories + 3. not rely on the system to translate "." and ".." in paths + 4. remove trailing backslashes, except at the drive root (C:\) + +commit 2e37e214e3d85da2a68476c7ae54051d525b05eb +Author: Edward Thomson +Date: Mon Dec 1 13:06:11 2014 -0500 + +clar: wide character comparisons + +commit f2e46110c9f72d5eca539c76972b87003c5922be +Author: Edward Thomson +Date: Wed Nov 26 16:24:37 2014 -0500 + +tests: use p_ instead of posix func
Bug#776839: unblock: libgit2/0.21.3-1.1
On 9 February 2015 at 09:36, Mehdi Dogguy wrote: > I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are > quite large. Can you please prepare an upload targetting jessie based on > 0.21.1-2.1? > Thanks for looking at this. I have created a patch that backport the relevant changes to the 0.21.1-2.1 Mehdi. I'm so sorry for the noise :( -- Cheers, Russell Sim diff -Nru libgit2-0.21.1/debian/changelog libgit2-0.21.1/debian/changelog --- libgit2-0.21.1/debian/changelog 2015-01-09 09:51:34.0 +1100 +++ libgit2-0.21.1/debian/changelog 2015-02-11 23:09:15.0 +1100 @@ -1,3 +1,10 @@ +libgit2 (0.21.1-3) jessie; urgency=medium + + * Backported fix for case insensitive filesystems (CVE-2014-9390). +(Closes: #774048) + + -- Russell Sim Tue, 10 Feb 2015 20:29:05 +1100 + libgit2 (0.21.1-2.1) jessie; urgency=medium * Non-maintainer upload. diff -Nru libgit2-0.21.1/debian/patches/CVE-2014-9390.patch libgit2-0.21.1/debian/patches/CVE-2014-9390.patch --- libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 1970-01-01 10:00:00.0 +1000 +++ libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 2015-02-11 23:09:15.0 +1100 @@ -0,0 +1,2483 @@ +commit a86d224d78a3ac0f8a1901b0e9e2aee1e15d6f73 +Author: Edward Thomson +Date: Thu Dec 18 12:41:59 2014 -0600 + +index tests: test capitalization before mkdir + +commit 86b9eb3bf5dba342d0a5d805e6fe35c3e9c861cc +Author: Carlos Martín Nieto +Date: Thu Dec 18 02:11:06 2014 +0100 + +Plug leaks + +commit 07164371d10109ba564835947a62fcedf288dce9 +Author: Carlos Martín Nieto +Date: Thu Dec 18 02:07:36 2014 +0100 + +Create miscapitialised dirs for case-sensitive filesystems + +We need these directories to exist so cl_git_mkfile() can create the +files we ask it to. + +commit 5d5d6136aaeea22903ed5d30a858f8d106876771 +Author: Edward Thomson +Date: Tue Dec 16 18:53:55 2014 -0600 + +Introduce core.protectHFS and core.protectNTFS + +Validate HFS ignored char ".git" paths when `core.protectHFS` is +specified. Validate NTFS invalid ".git" paths when `core.protectNTFS` +is specified. + +commit 2698e209d895856df9900899948269e2e490abd3 +Author: Vicent Marti +Date: Tue Dec 16 13:03:02 2014 +0100 + +path: Use UTF8 iteration for HFS chars + +commit d7026dc574b79723008bba72989f74a801f4dfb5 +Author: Edward Thomson +Date: Wed Dec 10 19:12:16 2014 -0500 + +checkout: disallow bad paths on HFS + +HFS filesystems ignore some characters like U+200C. When these +characters are included in a path, they will be ignored for the +purposes of comparison with other paths. Thus, if you have a ".git" +folder, a folder of ".git" will also match. Protect our +".git" folder by ensuring that ".git" and friends do not match it. + +commit 37221f8cb02554297710f703047711a61e1169bb +Author: Edward Thomson +Date: Tue Nov 25 18:13:00 2014 -0500 + +checkout: disallow bad paths on win32 + +Disallow: + 1. paths with trailing dot + 2. paths with trailing space + 3. paths with trailing colon + 4. paths that are 8.3 short names of .git folders ("GIT~1") + 5. paths that are reserved path names (COM1, LPT1, etc). + 6. paths with reserved DOS characters (colons, asterisks, etc) + +These paths would (without \\?\ syntax) be elided to other paths - for +example, ".git." would be written as ".git". As a result, writing these +paths literally (using \\?\ syntax) makes them hard to operate with from +the shell, Windows Explorer or other tools. Disallow these. + +commit cb6a309d8667310d3323f5b601a2f2fa893c37d0 +Author: Vicent Marti +Date: Tue Nov 25 00:58:03 2014 +0100 + +index: Check for valid paths before creating an index entry + +commit 928a41d189f068010a32c6dea4bf921baa81d21c +Author: Vicent Marti +Date: Tue Nov 25 00:14:52 2014 +0100 + +tree: Check for `.git` with case insensitivy + +commit f45baf7a94a75cfb1855c9a750f38bbcfa22b199 +Author: Edward Thomson +Date: Mon Dec 1 13:09:58 2014 -0500 + +win32: use NT-prefixed "\\?\" paths + +When turning UTF-8 paths into UCS-2 paths for Windows, always use +the \\?\-prefixed paths. Because this bypasses the system's +path canonicalization, handle the canonicalization functions ourselves. + +We must: + 1. always use a backslash as a directory separator + 2. only use a single backslash between directories + 3. not rely on the system to translate "." and ".." in paths + 4. remove trailing backslashes, except at the drive root (C:\) + +commit 2e37e214e3d85da2a68476c7ae54051d525b05eb +Author: Edward Thomson +Date: Mon Dec 1 13:06:11 2014 -0500 + +clar: wide character comparisons + +commit f2e46110c9f72d5eca539c76972b87003c5922be +Author: Edward Thomson +Date: Wed Nov 26 16:24:37 2014 -0500 + +tests: use p_ instead of posix func directly +diff --git a/src/checkout.c b/src/checkout.c +index 20763fd..9adc6c
Bug#776839: unblock: libgit2/0.21.3-1.1
Control: tags -1 moreinfo Hi, Le 2015-02-02 11:34, Russell Sim a écrit : Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgit2 The newer version of the libgit2 package fixes a security hole [0]. Sorry I realise that this is the second unblock request for this package. But at the time of the previous request I did not think that the vulnerability met the requirements for an unblock request. I have since been contacted by the Debian security team and asked to submit an unblock request. I haven't split out the fix into a separate patch on the existing package in jessie as it's probably not super easy. But i can do it if it's required. I have not inculded a debdiff since it's 182K but I can attach it if needed. I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are quite large. Can you please prepare an upload targetting jessie based on 0.21.1-2.1? Regards, -- Mehdi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#776839: unblock: libgit2/0.21.3-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgit2 The newer version of the libgit2 package fixes a security hole [0]. Sorry I realise that this is the second unblock request for this package. But at the time of the previous request I did not think that the vulnerability met the requirements for an unblock request. I have since been contacted by the Debian security team and asked to submit an unblock request. I haven't split out the fix into a separate patch on the existing package in jessie as it's probably not super easy. But i can do it if it's required. I have not inculded a debdiff since it's 182K but I can attach it if needed. 0. https://security-tracker.debian.org/tracker/CVE-2014-9390 unblock libgit2/0.21.3-1.1 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org