Bug#776839: unblock: libgit2/0.21.3-1.1
On 17 February 2015 at 09:26, Mehdi Dogguy wrote: > Thanks for your work and sorry for not getting back to you sooner. The > patch > looks okay. Please go ahead and upload 0.21.1-3 to Jessie and notify us as > soon as it gets accepted. > Ok, it has been uploaded and accepted https://packages.qa.debian.org/libg/libgit2/news/20150222T113335Z.html Thanks! -- Cheers, Russell Sim
Bug#776839: unblock: libgit2/0.21.3-1.1
Tags: + confirmed On Thu, Feb 12, 2015 at 09:49:34PM +1100, Russell Sim wrote: > On 11 February 2015 at 23:24, Russell Sim wrote: > > > On 9 February 2015 at 09:36, Mehdi Dogguy wrote: > > > >> I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are > >> quite large. Can you please prepare an upload targetting jessie based on > >> 0.21.1-2.1? > >> > > > > > > Thanks for looking at this. I have created a patch that backport the > > relevant changes to the 0.21.1-2.1 > > > I have reduced the patch removing any Win32 parts. > Thanks for your work and sorry for not getting back to you sooner. The patch looks okay. Please go ahead and upload 0.21.1-3 to Jessie and notify us as soon as it gets accepted. Cheers. -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#776839: unblock: libgit2/0.21.3-1.1
On 11 February 2015 at 23:24, Russell Sim wrote:
> On 9 February 2015 at 09:36, Mehdi Dogguy wrote:
>
>> I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are
>> quite large. Can you please prepare an upload targetting jessie based on
>> 0.21.1-2.1?
>>
>
>
> Thanks for looking at this. I have created a patch that backport the
> relevant changes to the 0.21.1-2.1
I have reduced the patch removing any Win32 parts.
--
Cheers,
Russell Sim
diff -Nru libgit2-0.21.1/debian/changelog libgit2-0.21.1/debian/changelog
--- libgit2-0.21.1/debian/changelog 2015-01-09 09:51:34.0 +1100
+++ libgit2-0.21.1/debian/changelog 2015-02-12 20:06:00.0 +1100
@@ -1,3 +1,10 @@
+libgit2 (0.21.1-3) jessie; urgency=medium
+
+ * Backported fix for case insensitive filesystems (CVE-2014-9390).
+(Closes: #774048)
+
+ -- Russell Sim Tue, 10 Feb 2015 20:29:05 +1100
+
libgit2 (0.21.1-2.1) jessie; urgency=medium
* Non-maintainer upload.
diff -Nru libgit2-0.21.1/debian/patches/CVE-2014-9390.patch
libgit2-0.21.1/debian/patches/CVE-2014-9390.patch
--- libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 1970-01-01
10:00:00.0 +1000
+++ libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 2015-02-12
20:06:00.0 +1100
@@ -0,0 +1,1479 @@
+commit a86d224d78a3ac0f8a1901b0e9e2aee1e15d6f73
+Author: Edward Thomson
+Date: Thu Dec 18 12:41:59 2014 -0600
+
+index tests: test capitalization before mkdir
+
+commit 86b9eb3bf5dba342d0a5d805e6fe35c3e9c861cc
+Author: Carlos Martín Nieto
+Date: Thu Dec 18 02:11:06 2014 +0100
+
+Plug leaks
+
+commit 07164371d10109ba564835947a62fcedf288dce9
+Author: Carlos Martín Nieto
+Date: Thu Dec 18 02:07:36 2014 +0100
+
+Create miscapitialised dirs for case-sensitive filesystems
+
+We need these directories to exist so cl_git_mkfile() can create the
+files we ask it to.
+
+commit 5d5d6136aaeea22903ed5d30a858f8d106876771
+Author: Edward Thomson
+Date: Tue Dec 16 18:53:55 2014 -0600
+
+Introduce core.protectHFS and core.protectNTFS
+
+Validate HFS ignored char ".git" paths when `core.protectHFS` is
+specified. Validate NTFS invalid ".git" paths when `core.protectNTFS`
+is specified.
+
+commit 2698e209d895856df9900899948269e2e490abd3
+Author: Vicent Marti
+Date: Tue Dec 16 13:03:02 2014 +0100
+
+path: Use UTF8 iteration for HFS chars
+
+commit d7026dc574b79723008bba72989f74a801f4dfb5
+Author: Edward Thomson
+Date: Wed Dec 10 19:12:16 2014 -0500
+
+checkout: disallow bad paths on HFS
+
+HFS filesystems ignore some characters like U+200C. When these
+characters are included in a path, they will be ignored for the
+purposes of comparison with other paths. Thus, if you have a ".git"
+folder, a folder of ".git" will also match. Protect our
+".git" folder by ensuring that ".git" and friends do not match it.
+
+commit 37221f8cb02554297710f703047711a61e1169bb
+Author: Edward Thomson
+Date: Tue Nov 25 18:13:00 2014 -0500
+
+checkout: disallow bad paths on win32
+
+Disallow:
+ 1. paths with trailing dot
+ 2. paths with trailing space
+ 3. paths with trailing colon
+ 4. paths that are 8.3 short names of .git folders ("GIT~1")
+ 5. paths that are reserved path names (COM1, LPT1, etc).
+ 6. paths with reserved DOS characters (colons, asterisks, etc)
+
+These paths would (without \\?\ syntax) be elided to other paths - for
+example, ".git." would be written as ".git". As a result, writing these
+paths literally (using \\?\ syntax) makes them hard to operate with from
+the shell, Windows Explorer or other tools. Disallow these.
+
+commit cb6a309d8667310d3323f5b601a2f2fa893c37d0
+Author: Vicent Marti
+Date: Tue Nov 25 00:58:03 2014 +0100
+
+index: Check for valid paths before creating an index entry
+
+commit 928a41d189f068010a32c6dea4bf921baa81d21c
+Author: Vicent Marti
+Date: Tue Nov 25 00:14:52 2014 +0100
+
+tree: Check for `.git` with case insensitivy
+
+commit f45baf7a94a75cfb1855c9a750f38bbcfa22b199
+Author: Edward Thomson
+Date: Mon Dec 1 13:09:58 2014 -0500
+
+win32: use NT-prefixed "\\?\" paths
+
+When turning UTF-8 paths into UCS-2 paths for Windows, always use
+the \\?\-prefixed paths. Because this bypasses the system's
+path canonicalization, handle the canonicalization functions ourselves.
+
+We must:
+ 1. always use a backslash as a directory separator
+ 2. only use a single backslash between directories
+ 3. not rely on the system to translate "." and ".." in paths
+ 4. remove trailing backslashes, except at the drive root (C:\)
+
+commit 2e37e214e3d85da2a68476c7ae54051d525b05eb
+Author: Edward Thomson
+Date: Mon Dec 1 13:06:11 2014 -0500
+
+clar: wide character comparisons
+
+commit f2e46110c9f72d5eca539c76972b87003c5922be
+Author: Edward Thomson
+Date: Wed Nov 26 16:24:37 2014 -0500
+
+tests: use p_ instead of posix func
Bug#776839: unblock: libgit2/0.21.3-1.1
On 9 February 2015 at 09:36, Mehdi Dogguy wrote:
> I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are
> quite large. Can you please prepare an upload targetting jessie based on
> 0.21.1-2.1?
>
Thanks for looking at this. I have created a patch that backport the
relevant changes to the 0.21.1-2.1
Mehdi. I'm so sorry for the noise :(
--
Cheers,
Russell Sim
diff -Nru libgit2-0.21.1/debian/changelog libgit2-0.21.1/debian/changelog
--- libgit2-0.21.1/debian/changelog 2015-01-09 09:51:34.0 +1100
+++ libgit2-0.21.1/debian/changelog 2015-02-11 23:09:15.0 +1100
@@ -1,3 +1,10 @@
+libgit2 (0.21.1-3) jessie; urgency=medium
+
+ * Backported fix for case insensitive filesystems (CVE-2014-9390).
+(Closes: #774048)
+
+ -- Russell Sim Tue, 10 Feb 2015 20:29:05 +1100
+
libgit2 (0.21.1-2.1) jessie; urgency=medium
* Non-maintainer upload.
diff -Nru libgit2-0.21.1/debian/patches/CVE-2014-9390.patch
libgit2-0.21.1/debian/patches/CVE-2014-9390.patch
--- libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 1970-01-01
10:00:00.0 +1000
+++ libgit2-0.21.1/debian/patches/CVE-2014-9390.patch 2015-02-11
23:09:15.0 +1100
@@ -0,0 +1,2483 @@
+commit a86d224d78a3ac0f8a1901b0e9e2aee1e15d6f73
+Author: Edward Thomson
+Date: Thu Dec 18 12:41:59 2014 -0600
+
+index tests: test capitalization before mkdir
+
+commit 86b9eb3bf5dba342d0a5d805e6fe35c3e9c861cc
+Author: Carlos Martín Nieto
+Date: Thu Dec 18 02:11:06 2014 +0100
+
+Plug leaks
+
+commit 07164371d10109ba564835947a62fcedf288dce9
+Author: Carlos Martín Nieto
+Date: Thu Dec 18 02:07:36 2014 +0100
+
+Create miscapitialised dirs for case-sensitive filesystems
+
+We need these directories to exist so cl_git_mkfile() can create the
+files we ask it to.
+
+commit 5d5d6136aaeea22903ed5d30a858f8d106876771
+Author: Edward Thomson
+Date: Tue Dec 16 18:53:55 2014 -0600
+
+Introduce core.protectHFS and core.protectNTFS
+
+Validate HFS ignored char ".git" paths when `core.protectHFS` is
+specified. Validate NTFS invalid ".git" paths when `core.protectNTFS`
+is specified.
+
+commit 2698e209d895856df9900899948269e2e490abd3
+Author: Vicent Marti
+Date: Tue Dec 16 13:03:02 2014 +0100
+
+path: Use UTF8 iteration for HFS chars
+
+commit d7026dc574b79723008bba72989f74a801f4dfb5
+Author: Edward Thomson
+Date: Wed Dec 10 19:12:16 2014 -0500
+
+checkout: disallow bad paths on HFS
+
+HFS filesystems ignore some characters like U+200C. When these
+characters are included in a path, they will be ignored for the
+purposes of comparison with other paths. Thus, if you have a ".git"
+folder, a folder of ".git" will also match. Protect our
+".git" folder by ensuring that ".git" and friends do not match it.
+
+commit 37221f8cb02554297710f703047711a61e1169bb
+Author: Edward Thomson
+Date: Tue Nov 25 18:13:00 2014 -0500
+
+checkout: disallow bad paths on win32
+
+Disallow:
+ 1. paths with trailing dot
+ 2. paths with trailing space
+ 3. paths with trailing colon
+ 4. paths that are 8.3 short names of .git folders ("GIT~1")
+ 5. paths that are reserved path names (COM1, LPT1, etc).
+ 6. paths with reserved DOS characters (colons, asterisks, etc)
+
+These paths would (without \\?\ syntax) be elided to other paths - for
+example, ".git." would be written as ".git". As a result, writing these
+paths literally (using \\?\ syntax) makes them hard to operate with from
+the shell, Windows Explorer or other tools. Disallow these.
+
+commit cb6a309d8667310d3323f5b601a2f2fa893c37d0
+Author: Vicent Marti
+Date: Tue Nov 25 00:58:03 2014 +0100
+
+index: Check for valid paths before creating an index entry
+
+commit 928a41d189f068010a32c6dea4bf921baa81d21c
+Author: Vicent Marti
+Date: Tue Nov 25 00:14:52 2014 +0100
+
+tree: Check for `.git` with case insensitivy
+
+commit f45baf7a94a75cfb1855c9a750f38bbcfa22b199
+Author: Edward Thomson
+Date: Mon Dec 1 13:09:58 2014 -0500
+
+win32: use NT-prefixed "\\?\" paths
+
+When turning UTF-8 paths into UCS-2 paths for Windows, always use
+the \\?\-prefixed paths. Because this bypasses the system's
+path canonicalization, handle the canonicalization functions ourselves.
+
+We must:
+ 1. always use a backslash as a directory separator
+ 2. only use a single backslash between directories
+ 3. not rely on the system to translate "." and ".." in paths
+ 4. remove trailing backslashes, except at the drive root (C:\)
+
+commit 2e37e214e3d85da2a68476c7ae54051d525b05eb
+Author: Edward Thomson
+Date: Mon Dec 1 13:06:11 2014 -0500
+
+clar: wide character comparisons
+
+commit f2e46110c9f72d5eca539c76972b87003c5922be
+Author: Edward Thomson
+Date: Wed Nov 26 16:24:37 2014 -0500
+
+tests: use p_ instead of posix func directly
+diff --git a/src/checkout.c b/src/checkout.c
+index 20763fd..9adc6c
Bug#776839: unblock: libgit2/0.21.3-1.1
Control: tags -1 moreinfo Hi, Le 2015-02-02 11:34, Russell Sim a écrit : Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgit2 The newer version of the libgit2 package fixes a security hole [0]. Sorry I realise that this is the second unblock request for this package. But at the time of the previous request I did not think that the vulnerability met the requirements for an unblock request. I have since been contacted by the Debian security team and asked to submit an unblock request. I haven't split out the fix into a separate patch on the existing package in jessie as it's probably not super easy. But i can do it if it's required. I have not inculded a debdiff since it's 182K but I can attach it if needed. I'm afraid we cannot accept 0.21.3-1.1 in Jessie because the changes are quite large. Can you please prepare an upload targetting jessie based on 0.21.1-2.1? Regards, -- Mehdi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#776839: unblock: libgit2/0.21.3-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgit2 The newer version of the libgit2 package fixes a security hole [0]. Sorry I realise that this is the second unblock request for this package. But at the time of the previous request I did not think that the vulnerability met the requirements for an unblock request. I have since been contacted by the Debian security team and asked to submit an unblock request. I haven't split out the fix into a separate patch on the existing package in jessie as it's probably not super easy. But i can do it if it's required. I have not inculded a debdiff since it's 182K but I can attach it if needed. 0. https://security-tracker.debian.org/tracker/CVE-2014-9390 unblock libgit2/0.21.3-1.1 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
