kernel-tools/git
SHA256
7
0
Fork 0
forked from pool/git
Code Pull Requests Activity

Compare commits

merge into: kernel-tools:main
Branches Tags
kernel-tools:main pool:slfo-1.2 pool:slfo-main pool:factory pool:devel
...
pull from: pool:slfo-1.2
Branches Tags
pool:slfo-1.2 pool:slfo-main pool:factory pool:devel kernel-tools:main

5 Commits
main ... slfo-1.2

Author SHA256 Message Date
Adrian Schröter
972e527526 Sync changes to SLFO-1.2 branch 2025-08-20 09:17:41 +02:00
Ana Guerrero
29c41e30f3 Accepting request 1291488 from devel:tools:scm 
OBS-URL: https://build.opensuse.org/request/show/1291488
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=325
 2025-07-10 21:14:51 +00:00
Antonio Teixeira
d282f59a19 - refreshed gitk sha256 patches: 
0001-gitk-Add-support-of-SHA256-repo.patch
  0002-git-gui-Add-support-of-SHA256-repo.patch

- update to 2.50.1 (boo#1245938 boo#1245939 boo#1245942 boo#1245943 boo#1245946 boo#1245947)

OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/git?expand=0&rev=677
 2025-07-09 12:22:02 +00:00
Ana Guerrero
449f6b4529 Accepting request 1288721 from devel:tools:scm 
OBS-URL: https://build.opensuse.org/request/show/1288721
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=324
 2025-06-27 21:00:18 +00:00
Takashi Iwai
25bd9d7139 - Fix git-gui citool SHA256 repo handling: 
refreshed 0002-git-gui-Add-support-of-SHA256-repo.patch

OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/git?expand=0&rev=675
 2025-06-26 15:46:25 +00:00
12 changed files with 638 additions and 734 deletions
Expand all files Collapse all files

402
0001-gitk-Add-support-of-SHA256-repo.patch
View File

@@ -1,402 +0,0 @@
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH v2] gitk: Add support of SHA256 repo
Date: Tue, 17 Jun 2025 07:59:54 +0200
Message-ID: <20250617055957.9794-1-tiwai@suse.de>
This patch adds a basic support of SHA256 Git repository to Gitk, so
that Gitk can show and operate on both SHA1 and SHA256 repos
gracefully. Since SHA256 has a longer ID length (64 char) than SHA1
(40 char), many field widths are adjusted to fit with it.
A caveat is that the configuration of auto selection length is shared
between SHA1 and SHA256 repos. That is, once when this value is saved
and read, it's applied to both repo types, which may result in shorter
selection than the full SHA256 ID. We may introduce another
individual config for sha256 (actually I did write in the first
version), but for simplicity, the common config is used as of writing
this.
Many lines still refer "sha1" although they may point to both SHA1 and
SHA256. They are left untouched for making the changes simpler.
This patch is based on the early work by Rostislav Krasny:
https://patchwork.kernel.org/project/git/patch/pull.979.git.1623687519832.gitgitgadget@gmail.com
I refreshed, revised and extended to the latest state.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1: https://lore.kernel.org/20250320154136.23262-1-tiwai@suse.de
v1->v2:
- Fix other procs using fixed 40 length
- Don't use tabs
- Drop autosellensha256 config
- Some code simplification
- Fix patch description
gitk-git/gitk | 83 +++++++++++++++++++++++++++++++++++----------------
1 file changed, 58 insertions(+), 25 deletions(-)
diff --git a/gitk-git/gitk b/gitk-git/gitk
index 19689765cde5..04f5f5face68 100755
--- a/gitk-git/gitk
+++ b/gitk-git/gitk
@@ -394,6 +394,7 @@ proc parseviewargs {n arglist} {
proc parseviewrevs {view revs} {
global vposids vnegids
+ global hashlength
if {$revs eq {}} {
set revs HEAD
@@ -407,7 +408,7 @@ proc parseviewrevs {view revs} {
set badrev {}
for {set l 0} {$l < [llength $errlines]} {incr l} {
set line [lindex $errlines $l]
- if {!([string length $line] == 40 && [string is xdigit $line])} {
+ if {!([string length $line] == $hashlength && [string is xdigit $line])} {
if {[string match "fatal:*" $line]} {
if {[string match "fatal: ambiguous argument*" $line]
&& $badrev ne {}} {
@@ -624,6 +625,7 @@ proc updatecommits {} {
global hasworktree
global varcid vposids vnegids vflags vrevs
global show_notes
+ global hashlength
set hasworktree [hasworktree]
rereadrefs
@@ -657,7 +659,7 @@ proc updatecommits {} {
# take out positive refs that we asked for before or
# that we have already seen
foreach rev $revs {
- if {[string length $rev] == 40} {
+ if {[string length $rev] == $hashlength} {
if {[lsearch -exact $oldpos $rev] < 0
&& ![info exists varcid($view,$rev)]} {
lappend newrevs $rev
@@ -1542,6 +1544,7 @@ proc getcommitlines {fd inst view updating} {
global parents children curview hlview
global idpending ordertok
global varccommits varcid varctok vtokmod vfilelimit vshortids
+ global hashlength
set stuff [read $fd 500000]
# git log doesn't terminate the last commit with a null...
@@ -1624,7 +1627,7 @@ proc getcommitlines {fd inst view updating} {
}
set ok 1
foreach id $ids {
- if {[string length $id] != 40} {
+ if {[string length $id] != $hashlength} {
set ok 0
break
}
@@ -1870,8 +1873,8 @@ proc getcommit {id} {
return 1
}
-# Expand an abbreviated commit ID to a list of full 40-char IDs that match
-# and are present in the current view.
+# Expand an abbreviated commit ID to a list of full 40-char (or 64-char
+# for SHA256 repo) IDs that match and are present in the current view.
# This is fairly slow...
proc longid {prefix} {
global varcid curview vshortids
@@ -1904,6 +1907,7 @@ proc readrefs {} {
global selecthead selectheadid
global hideremotes
global tclencoding
+ global hashlength
foreach v {tagids idtags headids idheads otherrefids idotherrefs} {
unset -nocomplain $v
@@ -1913,9 +1917,9 @@ proc readrefs {} {
fconfigure $refd -encoding $tclencoding
}
while {[gets $refd line] >= 0} {
- if {[string index $line 40] ne " "} continue
- set id [string range $line 0 39]
- set ref [string range $line 41 end]
+ if {[string index $line $hashlength] ne " "} continue
+ set id [string range $line 0 [expr {$hashlength - 1}]]
+ set ref [string range $line [expr {$hashlength + 1}] end]
if {![string match "refs/*" $ref]} continue
set name [string range $ref 5 end]
if {[string match "remotes/*" $name]} {
@@ -2210,6 +2214,7 @@ proc makewindow {} {
global have_tk85 have_tk86 use_ttk NS
global git_version
global worddiff
+ global hashlength
# The "mc" arguments here are purely so that xgettext
# sees the following string as needing to be translated
@@ -2335,7 +2340,7 @@ proc makewindow {} {
-command gotocommit -width 8
$sha1but conf -disabledforeground [$sha1but cget -foreground]
pack .tf.bar.sha1label -side left
- ${NS}::entry $sha1entry -width 40 -font textfont -textvariable sha1string
+ ${NS}::entry $sha1entry -width $hashlength -font textfont -textvariable sha1string
trace add variable sha1string write sha1change
pack $sha1entry -side left -pady 2
@@ -4062,6 +4067,7 @@ proc stopblaming {} {
proc read_line_source {fd inst} {
global blamestuff curview commfd blameinst nullid nullid2
+ global hashlength
while {[gets $fd line] >= 0} {
lappend blamestuff($inst) $line
@@ -4082,7 +4088,7 @@ proc read_line_source {fd inst} {
set line [split [lindex $blamestuff($inst) 0] " "]
set id [lindex $line 0]
set lnum [lindex $line 1]
- if {[string length $id] == 40 && [string is xdigit $id] &&
+ if {[string length $id] == $hashlength && [string is xdigit $id] &&
[string is digit -strict $lnum]} {
# look for "filename" line
foreach l $blamestuff($inst) {
@@ -5226,11 +5232,13 @@ proc askrelhighlight {row id} {
# Graph layout functions
proc shortids {ids} {
+ global hashlength
+
set res {}
foreach id $ids {
if {[llength $id] > 1} {
lappend res [shortids $id]
- } elseif {[regexp {^[0-9a-f]{40}$} $id]} {
+ } elseif {[regexp [string map "@@ $hashlength" {^[0-9a-f]{@@}$}] $id]} {
lappend res [string range $id 0 7]
} else {
lappend res $id
@@ -5405,13 +5413,14 @@ proc get_viewmainhead {view} {
# git rev-list should give us just 1 line to use as viewmainheadid($view)
proc getviewhead {fd inst view} {
global viewmainheadid commfd curview viewinstances showlocalchanges
+ global hashlength
set id {}
if {[gets $fd line] < 0} {
if {![eof $fd]} {
return 1
}
- } elseif {[string length $line] == 40 && [string is xdigit $line]} {
+ } elseif {[string length $line] == $hashlength && [string is xdigit $line]} {
set id $line
}
set viewmainheadid($view) $id
@@ -7175,10 +7184,11 @@ proc commit_descriptor {p} {
# Also look for URLs of the form "http[s]://..." and make them web links.
proc appendwithlinks {text tags} {
global ctext linknum curview
+ global hashlength
set start [$ctext index "end - 1c"]
$ctext insert end $text $tags
- set links [regexp -indices -all -inline {(?:\m|-g)[0-9a-f]{6,40}\M} $text]
+ set links [regexp -indices -all -inline [string map "@@ $hashlength" {(?:\m|-g)[0-9a-f]{6,@@}\M}] $text]
foreach l $links {
set s [lindex $l 0]
set e [lindex $l 1]
@@ -7206,13 +7216,14 @@ proc appendwithlinks {text tags} {
proc setlink {id lk} {
global curview ctext pendinglinks
global linkfgcolor
+ global hashlength
if {[string range $id 0 1] eq "-g"} {
set id [string range $id 2 end]
}
set known 0
- if {[string length $id] < 40} {
+ if {[string length $id] < $hashlength} {
set matches [longid $id]
if {[llength $matches] > 0} {
if {[llength $matches] > 1} return
@@ -8857,13 +8868,16 @@ proc incrfont {inc} {
proc clearsha1 {} {
global sha1entry sha1string
- if {[string length $sha1string] == 40} {
+ global hashlength
+
+ if {[string length $sha1string] == $hashlength} {
$sha1entry delete 0 end
}
}
proc sha1change {n1 n2 op} {
global sha1string currentid sha1but
+
if {$sha1string == {}
|| ([info exists currentid] && $sha1string == $currentid)} {
set state disabled
@@ -8880,6 +8894,7 @@ proc sha1change {n1 n2 op} {
proc gotocommit {} {
global sha1string tagids headids curview varcid
+ global hashlength
if {$sha1string == {}
|| ([info exists currentid] && $sha1string == $currentid)} return
@@ -8889,7 +8904,7 @@ proc gotocommit {} {
set id $headids($sha1string)
} else {
set id [string tolower $sha1string]
- if {[regexp {^[0-9a-f]{4,39}$} $id]} {
+ if {[regexp {^[0-9a-f]{4,63}$} $id]} {
set matches [longid $id]
if {$matches ne {}} {
if {[llength $matches] > 1} {
@@ -9378,6 +9393,7 @@ proc doseldiff {oldid newid} {
proc mkpatch {} {
global rowmenuid currentid commitinfo patchtop patchnum NS
+ global hashlength
if {![info exists currentid]} return
set oldid $currentid
@@ -9392,7 +9408,7 @@ proc mkpatch {} {
${NS}::label $top.title -text [mc "Generate patch"]
grid $top.title - -pady 10
${NS}::label $top.from -text [mc "From:"]
- ${NS}::entry $top.fromsha1 -width 40
+ ${NS}::entry $top.fromsha1 -width $hashlength
$top.fromsha1 insert 0 $oldid
$top.fromsha1 conf -state readonly
grid $top.from $top.fromsha1 -sticky w
@@ -9401,7 +9417,7 @@ proc mkpatch {} {
$top.fromhead conf -state readonly
grid x $top.fromhead -sticky w
${NS}::label $top.to -text [mc "To:"]
- ${NS}::entry $top.tosha1 -width 40
+ ${NS}::entry $top.tosha1 -width $hashlength
$top.tosha1 insert 0 $newid
$top.tosha1 conf -state readonly
grid $top.to $top.tosha1 -sticky w
@@ -9470,6 +9486,7 @@ proc mkpatchcan {} {
proc mktag {} {
global rowmenuid mktagtop commitinfo NS
+ global hashlength
set top .maketag
set mktagtop $top
@@ -9479,7 +9496,7 @@ proc mktag {} {
${NS}::label $top.title -text [mc "Create tag"]
grid $top.title - -pady 10
${NS}::label $top.id -text [mc "ID:"]
- ${NS}::entry $top.sha1 -width 40
+ ${NS}::entry $top.sha1 -width $hashlength
$top.sha1 insert 0 $rowmenuid
$top.sha1 conf -state readonly
grid $top.id $top.sha1 -sticky w
@@ -9587,10 +9604,11 @@ proc mktaggo {} {
proc copyreference {} {
global rowmenuid autosellen
+ global hashlength
set format "%h (\"%s\", %ad)"
set cmd [list git show -s --pretty=format:$format --date=short]
- if {$autosellen < 40} {
+ if {$autosellen < $hashlength} {
lappend cmd --abbrev=$autosellen
}
set reference [eval exec $cmd $rowmenuid]
@@ -9601,6 +9619,7 @@ proc copyreference {} {
proc writecommit {} {
global rowmenuid wrcomtop commitinfo wrcomcmd NS
+ global hashlength
set top .writecommit
set wrcomtop $top
@@ -9610,7 +9629,7 @@ proc writecommit {} {
${NS}::label $top.title -text [mc "Write commit to file"]
grid $top.title - -pady 10
${NS}::label $top.id -text [mc "ID:"]
- ${NS}::entry $top.sha1 -width 40
+ ${NS}::entry $top.sha1 -width $hashlength
$top.sha1 insert 0 $rowmenuid
$top.sha1 conf -state readonly
grid $top.id $top.sha1 -sticky w
@@ -9690,6 +9709,7 @@ proc mvbranch {} {
proc branchdia {top valvar uivar} {
global NS commitinfo
+ global hashlength
upvar $valvar val $uivar ui
catch {destroy $top}
@@ -9698,7 +9718,7 @@ proc branchdia {top valvar uivar} {
${NS}::label $top.title -text $ui(title)
grid $top.title - -pady 10
${NS}::label $top.id -text [mc "ID:"]
- ${NS}::entry $top.sha1 -width 40
+ ${NS}::entry $top.sha1 -width $hashlength
$top.sha1 insert 0 $val(id)
$top.sha1 conf -state readonly
grid $top.id $top.sha1 -sticky w
@@ -9708,7 +9728,7 @@ proc branchdia {top valvar uivar} {
grid x $top.head -sticky ew
grid columnconfigure $top 1 -weight 1
${NS}::label $top.nlab -text [mc "Name:"]
- ${NS}::entry $top.name -width 40
+ ${NS}::entry $top.name -width $hashlength
$top.name insert 0 $val(name)
grid $top.nlab $top.name -sticky w
${NS}::frame $top.buts
@@ -11697,6 +11717,7 @@ proc prefspage_general {notebook} {
global tabstop wrapcomment wrapdefault limitdiffs
global autocopy autoselect autosellen extdifftool perfile_attrs
global hideremotes want_ttk have_ttk maxrefs web_browser
+ global hashlength
set page [create_prefs_page $notebook.general]
@@ -11725,7 +11746,8 @@ proc prefspage_general {notebook} {
-variable autoselect
grid x $page.autoselect -sticky w
}
- spinbox $page.autosellen -from 1 -to 40 -width 4 -textvariable autosellen
+
+ spinbox $page.autosellen -from 1 -to $hashlength -width 4 -textvariable autosellen
${NS}::label $page.autosellenl -text [mc "Length of commit ID to copy"]
grid x $page.autosellenl $page.autosellen -sticky w
@@ -12491,6 +12513,17 @@ if {$tclencoding == {}} {
puts stderr "Warning: encoding $gitencoding is not supported by Tcl/Tk"
}
+# Use object format as hash algorightm (either "sha1" or "sha256")
+set hashalgorithm [exec git rev-parse --show-object-format]
+if {$hashalgorithm eq "sha1"} {
+ set hashlength 40
+} elseif {$hashalgorithm eq "sha256"} {
+ set hashlength 64
+} else {
+ puts stderr "Unknown hash algorithm: $hashalgorithm"
+ exit 1
+}
+
set gui_encoding [encoding system]
catch {
set enc [exec git config --get gui.encoding]
@@ -12545,7 +12578,7 @@ set limitdiffs 1
set datetimeformat "%Y-%m-%d %H:%M:%S"
set autocopy 0
set autoselect 1
-set autosellen 40
+set autosellen $hashlength
set perfile_attrs 0
set want_ttk 1
--
2.49.0

178
0002-git-gui-Add-support-of-SHA256-repo.patch
View File

@@ -1,178 +0,0 @@
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] git-gui: Add support of SHA256 repo
Date: Tue, 17 Jun 2025 08:03:59 +0200
Message-ID: <20250617060406.10159-1-tiwai@suse.de>
This patch adds the basic support of SHA256 Git repositories.
The needed changes were mostly about adjusting the fixed ID length of
SHA1 (40) to be variable depending on the repo type.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
git-gui/git-gui.sh | 13 ++++++++++++-
git-gui/lib/blame.tcl | 12 ++++++++----
git-gui/lib/choose_repository.tcl | 8 ++++++--
git-gui/lib/remote_branch_delete.tcl | 4 +++-
4 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/git-gui/git-gui.sh b/git-gui/git-gui.sh
index 28572c889c0e..206981190535 100755
--- a/git-gui/git-gui.sh
+++ b/git-gui/git-gui.sh
@@ -1275,6 +1275,17 @@ if {[catch {
set picked 1
}
+# Use object format as hash algorightm (either "sha1" or "sha256")
+set hashalgorithm [exec git rev-parse --show-object-format]
+if {$hashalgorithm eq "sha1"} {
+ set hashlength 40
+} elseif {$hashalgorithm eq "sha256"} {
+ set hashlength 64
+} else {
+ puts stderr "Unknown hash algorithm: $hashalgorithm"
+ exit 1
+}
+
# we expand the _gitdir when it's just a single dot (i.e. when we're being
# run from the .git dir itself) lest the routines to find the worktree
# get confused
@@ -1822,7 +1833,7 @@ proc short_path {path} {
}
set next_icon_id 0
-set null_sha1 [string repeat 0 40]
+set null_sha1 [string repeat 0 $hashlength]
proc merge_state {path new_state {head_info {}} {index_info {}}} {
global file_states next_icon_id null_sha1
diff --git a/git-gui/lib/blame.tcl b/git-gui/lib/blame.tcl
index 8441e109be32..1f0b8ea28504 100644
--- a/git-gui/lib/blame.tcl
+++ b/git-gui/lib/blame.tcl
@@ -426,6 +426,7 @@ method _kill {} {
method _load {jump} {
variable group_colors
+ global hashlength
_hide_tooltip $this
@@ -436,7 +437,7 @@ method _load {jump} {
$i conf -state normal
$i delete 0.0 end
foreach g [$i tag names] {
- if {[regexp {^g[0-9a-f]{40}$} $g]} {
+ if {[regexp [string map "@@ $hashlength" {^g[0-9a-f]{@@}$}] $g]} {
$i tag delete $g
}
}
@@ -500,6 +501,8 @@ method _load {jump} {
}
method _history_menu {} {
+ global hashlength
+
set m $w.backmenu
if {[winfo exists $m]} {
$m delete 0 end
@@ -513,7 +516,7 @@ method _history_menu {} {
set c [lindex $e 0]
set f [lindex $e 1]
- if {[regexp {^[0-9a-f]{40}$} $c]} {
+ if {[regexp [string map "@@ $hashlength" {^[0-9a-f]{@@}$}] $c]} {
set t [string range $c 0 8]...
} elseif {$c eq {}} {
set t {Working Directory}
@@ -627,6 +630,7 @@ method _exec_blame {cur_w cur_d options cur_s} {
method _read_blame {fd cur_w cur_d} {
upvar #0 $cur_d line_data
variable group_colors
+ global hashlength
if {$fd ne $current_fd} {
catch {close $fd}
@@ -635,7 +639,7 @@ method _read_blame {fd cur_w cur_d} {
$cur_w conf -state normal
while {[gets $fd line] >= 0} {
- if {[regexp {^([a-z0-9]{40}) (\d+) (\d+) (\d+)$} $line line \
+ if {[regexp [string map "@@ $hashlength" {^([a-z0-9]{@@}) (\d+) (\d+) (\d+)$}] $line line \
cmit original_line final_line line_count]} {
set r_commit $cmit
set r_orig_line $original_line
@@ -648,7 +652,7 @@ method _read_blame {fd cur_w cur_d} {
set oln $r_orig_line
set cmit $r_commit
- if {[regexp {^0{40}$} $cmit]} {
+ if {[regexp [string map "@@ $hashlength" {^0{@@}$}] $cmit]} {
set commit_abbr work
set commit_type curr_commit
} elseif {$cmit eq $commit} {
diff --git a/git-gui/lib/choose_repository.tcl b/git-gui/lib/choose_repository.tcl
index d23abedcb36f..6078b1c7e2c4 100644
--- a/git-gui/lib/choose_repository.tcl
+++ b/git-gui/lib/choose_repository.tcl
@@ -870,6 +870,8 @@ method _do_clone_HEAD {ok} {
}
method _do_clone_full_end {ok} {
+ global hashlength
+
$o_cons done $ok
if {$ok} {
@@ -879,7 +881,7 @@ method _do_clone_full_end {ok} {
if {[file exists [gitdir FETCH_HEAD]]} {
set fd [open [gitdir FETCH_HEAD] r]
while {[gets $fd line] >= 0} {
- if {[regexp "^(.{40})\t\t" $line line HEAD]} {
+ if {[regexp [string map "@@ $hashlength" "^(.{@@})\t\t"] $line line HEAD]} {
break
}
}
@@ -965,6 +967,8 @@ method _do_clone_checkout {HEAD} {
}
method _readtree_wait {fd} {
+ global hashlength
+
set buf [read $fd]
$o_status_op update_meter $buf
append readtree_err $buf
@@ -986,7 +990,7 @@ method _readtree_wait {fd} {
# -- Run the post-checkout hook.
#
- set fd_ph [githook_read post-checkout [string repeat 0 40] \
+ set fd_ph [githook_read post-checkout [string repeat 0 $hashlength] \
[git rev-parse HEAD] 1]
if {$fd_ph ne {}} {
global pch_error
diff --git a/git-gui/lib/remote_branch_delete.tcl b/git-gui/lib/remote_branch_delete.tcl
index 5ba9fcadd17f..8ea672479306 100644
--- a/git-gui/lib/remote_branch_delete.tcl
+++ b/git-gui/lib/remote_branch_delete.tcl
@@ -323,6 +323,8 @@ method _load {cache uri} {
}
method _read {cache fd} {
+ global hashlength
+
if {$fd ne $active_ls} {
catch {close $fd}
return
@@ -330,7 +332,7 @@ method _read {cache fd} {
while {[gets $fd line] >= 0} {
if {[string match {*^{}} $line]} continue
- if {[regexp {^([0-9a-f]{40}) (.*)$} $line _junk obj ref]} {
+ if {[regexp [string map "@@ $hashlength" {^([0-9a-f]{@@}) (.*)$}] $line _junk obj ref]} {
if {[regsub ^refs/heads/ $ref {} abr]} {
lappend head_list $abr
lappend head_cache($cache) $abr
--
2.49.0

98
CVE-2024-50349-1.patch Normal file
View File

@@ -0,0 +1,98 @@
From c903985bf7e772e2d08275c1a95c8a55ab011577 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Thu, 7 Nov 2024 08:57:52 +0100
Subject: [PATCH 1/2] credential_format(): also encode <host>[:<port>]
An upcoming change wants to sanitize the credential password prompt
where a URL is displayed that may potentially come from a `.gitmodules`
file. To this end, the `credential_format()` function is employed.
To sanitize the host name (and optional port) part of the URL, we need a
new mode of the `strbuf_add_percentencode()` function because the
current mode is both too strict and too lenient: too strict because it
encodes `:`, `[` and `]` (which should be left unencoded in
`<host>:<port>` and in IPv6 addresses), and too lenient because it does
not encode invalid host name characters `/`, `_` and `~`.
So let's introduce and use a new mode specifically to encode the host
name and optional port part of a URI, leaving alpha-numerical
characters, periods, colons and brackets alone and encoding all others.
This only leads to a change of behavior for URLs that contain invalid
host names.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
credential.c | 3 ++-
strbuf.c | 4 +++-
strbuf.h | 1 +
t/t0300-credentials.sh | 13 +++++++++++++
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/credential.c b/credential.c
index f32011343f..572f1785da 100644
--- a/credential.c
+++ b/credential.c
@@ -164,7 +164,8 @@ static void credential_format(struct credential *c, struct strbuf *out)
strbuf_addch(out, '@');
}
if (c->host)
- strbuf_addstr(out, c->host);
+ strbuf_add_percentencode(out, c->host,
+ STRBUF_ENCODE_HOST_AND_PORT);
if (c->path) {
strbuf_addch(out, '/');
strbuf_add_percentencode(out, c->path, 0);
diff --git a/strbuf.c b/strbuf.c
index c383f41a3c..756b96c561 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -492,7 +492,9 @@ void strbuf_add_percentencode(struct strbuf *dst, const char *src, int flags)
unsigned char ch = src[i];
if (ch <= 0x1F || ch >= 0x7F ||
(ch == '/' && (flags & STRBUF_ENCODE_SLASH)) ||
- strchr(URL_UNSAFE_CHARS, ch))
+ ((flags & STRBUF_ENCODE_HOST_AND_PORT) ?
+ !isalnum(ch) && !strchr("-.:[]", ch) :
+ !!strchr(URL_UNSAFE_CHARS, ch)))
strbuf_addf(dst, "%%%02X", (unsigned char)ch);
else
strbuf_addch(dst, ch);
diff --git a/strbuf.h b/strbuf.h
index f6dbb9681e..f9f8bb0381 100644
--- a/strbuf.h
+++ b/strbuf.h
@@ -380,6 +380,7 @@ size_t strbuf_expand_dict_cb(struct strbuf *sb,
void strbuf_addbuf_percentquote(struct strbuf *dst, const struct strbuf *src);
#define STRBUF_ENCODE_SLASH 1
+#define STRBUF_ENCODE_HOST_AND_PORT 2
/**
* Append the contents of a string to a strbuf, percent-encoding any characters
diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
index c66d91e82d..cb91be1427 100755
--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
@@ -514,6 +514,19 @@ test_expect_success 'match percent-encoded values in username' '
EOF
'
+test_expect_success 'match percent-encoded values in hostname' '
+ test_config "credential.https://a%20b%20c/.helper" "$HELPER" &&
+ check fill <<-\EOF
+ url=https://a b c/
+ --
+ protocol=https
+ host=a b c
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
test_expect_success 'fetch with multiple path components' '
test_unconfig credential.helper &&
test_config credential.https://example.com/foo/repo.git.helper "verbatim foo bar" &&
--
2.47.1

314
CVE-2024-50349-2.patch Normal file
View File

@@ -0,0 +1,314 @@
From 7725b8100ffbbff2750ee4d61a0fcc1f53a086e8 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Wed, 30 Oct 2024 13:26:10 +0100
Subject: [PATCH 2/2] credential: sanitize the user prompt
When asking the user interactively for credentials, we want to avoid
misleading them e.g. via control sequences that pretend that the URL
targets a trusted host when it does not.
While Git learned, over the course of the preceding commits, to disallow
URLs containing URL-encoded control characters by default, credential
helpers are still allowed to specify values very freely (apart from Line
Feed and NUL characters, anything is allowed), and this would allow,
say, a username containing control characters to be specified that would
then be displayed in the interactive terminal prompt asking the user for
the password, potentially sending those control characters directly to
the terminal. This is undesirable because control characters can be used
to mislead users to divulge secret information to untrusted sites.
To prevent such an attack vector, let's add a `git_prompt()` that forces
the displayed text to be sanitized, i.e. displaying question marks
instead of control characters.
Note: While this commit's diff changes a lot of `user@host` strings to
`user%40host`, which may look suspicious on the surface, there is a good
reason for that: this string specifies a user name, not a
<username>@<hostname> combination! In the context of t5541, the actual
combination looks like this: `user%40@127.0.0.1:5541`. Therefore, these
string replacements document a net improvement introduced by this
commit, as `user@host@127.0.0.1` could have left readers wondering where
the user name ends and where the host name begins.
Hinted-at-by: Jeff King <peff@peff.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
Documentation/config/credential.txt | 6 ++++++
credential.c | 7 ++++++-
credential.h | 4 +++-
t/t0300-credentials.sh | 20 ++++++++++++++++++++
t/t5541-http-push-smart.sh | 6 +++---
t/t5550-http-fetch-dumb.sh | 14 +++++++-------
t/t5551-http-fetch-smart.sh | 16 ++++++++--------
7 files changed, 53 insertions(+), 20 deletions(-)
Index: b/Documentation/config/credential.txt
===================================================================
--- a/Documentation/config/credential.txt
+++ b/Documentation/config/credential.txt
@@ -14,6 +14,12 @@ credential.useHttpPath::
or https URL to be important. Defaults to false. See
linkgit:gitcredentials[7] for more information.
+credential.sanitizePrompt::
+ By default, user names and hosts that are shown as part of the
+ password prompt are not allowed to contain control characters (they
+ will be URL-encoded by default). Configure this setting to `false` to
+ override that behavior.
+
credential.username::
If no username is set for a network authentication, use this username
by default. See credential.<context>.* below, and
Index: b/credential.c
===================================================================
--- a/credential.c
+++ b/credential.c
@@ -125,6 +125,8 @@ static int credential_config_callback(co
}
else if (!strcmp(key, "usehttppath"))
c->use_http_path = git_config_bool(var, value);
+ else if (!strcmp(key, "sanitizeprompt"))
+ c->sanitize_prompt = git_config_bool(var, value);
return 0;
}
@@ -237,7 +239,10 @@ static char *credential_ask_one(const ch
struct strbuf prompt = STRBUF_INIT;
char *r;
- credential_describe(c, &desc);
+ if (c->sanitize_prompt)
+ credential_format(c, &desc);
+ else
+ credential_describe(c, &desc);
if (desc.len)
strbuf_addf(&prompt, "%s for '%s': ", what, desc.buf);
else
Index: b/credential.h
===================================================================
--- a/credential.h
+++ b/credential.h
@@ -168,7 +168,8 @@ struct credential {
multistage: 1,
quit:1,
use_http_path:1,
- username_from_proto:1;
+ username_from_proto:1,
+ sanitize_prompt:1;
struct credential_capability capa_authtype;
struct credential_capability capa_state;
@@ -195,6 +196,7 @@ struct credential {
.wwwauth_headers = STRVEC_INIT, \
.state_headers = STRVEC_INIT, \
.state_headers_to_send = STRVEC_INIT, \
+ .sanitize_prompt = 1, \
}
/* Initialize a credential structure, setting all fields to empty. */
Index: b/t/t0300-credentials.sh
===================================================================
--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
@@ -77,6 +77,10 @@ test_expect_success 'setup helper script
test -z "$pexpiry" || echo password_expiry_utc=$pexpiry
EOF
+ write_script git-credential-cntrl-in-username <<-\EOF &&
+ printf "username=\\007latrix Lestrange\\n"
+ EOF
+
PATH="$PWD:$PATH"
'
@@ -1008,4 +1012,20 @@ test_expect_success 'credential config w
test_grep "skipping credential lookup for key" stderr
'
+BEL="$(printf '\007')"
+
+test_expect_success 'interactive prompt is sanitized' '
+ check fill cntrl-in-username <<-EOF
+ protocol=https
+ host=example.org
+ --
+ protocol=https
+ host=example.org
+ username=${BEL}latrix Lestrange
+ password=askpass-password
+ --
+ askpass: Password for ${SQ}https://%07latrix%20Lestrange@example.org${SQ}:
+ EOF
+'
+
test_done
Index: b/t/t5541-http-push-smart.sh
===================================================================
--- a/t/t5541-http-push-smart.sh
+++ b/t/t5541-http-push-smart.sh
@@ -343,7 +343,7 @@ test_expect_success 'push over smart htt
git push "$HTTPD_URL"/auth/smart/test_repo.git &&
git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \
log -1 --format=%s >actual &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
test_cmp expect actual
'
@@ -355,7 +355,7 @@ test_expect_success 'push to auth-only-f
git push "$HTTPD_URL"/auth-push/smart/test_repo.git &&
git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \
log -1 --format=%s >actual &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
test_cmp expect actual
'
@@ -385,7 +385,7 @@ test_expect_success 'push into half-auth
git push "$HTTPD_URL/half-auth-complete/smart/half-auth.git" &&
git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git" \
log -1 --format=%s >actual &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
test_cmp expect actual
'
Index: b/t/t5550-http-fetch-dumb.sh
===================================================================
--- a/t/t5550-http-fetch-dumb.sh
+++ b/t/t5550-http-fetch-dumb.sh
@@ -111,13 +111,13 @@ test_expect_success 'http auth can use u
test_expect_success 'http auth can use just user in URL' '
set_askpass wrong pass@host &&
git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-pass &&
- expect_askpass pass user@host
+ expect_askpass pass user%40host
'
test_expect_success 'http auth can request both user and pass' '
set_askpass user@host pass@host &&
git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-both &&
- expect_askpass both user@host
+ expect_askpass both user%40host
'
test_expect_success 'http auth respects credential helper config' '
@@ -135,14 +135,14 @@ test_expect_success 'http auth can get u
test_config_global "credential.$HTTPD_URL.username" user@host &&
set_askpass wrong pass@host &&
git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-user &&
- expect_askpass pass user@host
+ expect_askpass pass user%40host
'
test_expect_success 'configured username does not override URL' '
test_config_global "credential.$HTTPD_URL.username" wrong &&
set_askpass wrong pass@host &&
git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-user2 &&
- expect_askpass pass user@host
+ expect_askpass pass user%40host
'
test_expect_success 'set up repo with http submodules' '
@@ -163,7 +163,7 @@ test_expect_success 'cmdline credential
set_askpass wrong pass@host &&
git -c "credential.$HTTPD_URL.username=user@host" \
clone --recursive super super-clone &&
- expect_askpass pass user@host
+ expect_askpass pass user%40host
'
test_expect_success 'cmdline credential config passes submodule via fetch' '
@@ -174,7 +174,7 @@ test_expect_success 'cmdline credential
git -C super-clone \
-c "credential.$HTTPD_URL.username=user@host" \
fetch --recurse-submodules &&
- expect_askpass pass user@host
+ expect_askpass pass user%40host
'
test_expect_success 'cmdline credential config passes submodule update' '
@@ -191,7 +191,7 @@ test_expect_success 'cmdline credential
git -C super-clone \
-c "credential.$HTTPD_URL.username=user@host" \
submodule update &&
- expect_askpass pass user@host
+ expect_askpass pass user%40host
'
test_expect_success 'fetch changes via http' '
Index: b/t/t5551-http-fetch-smart.sh
===================================================================
--- a/t/t5551-http-fetch-smart.sh
+++ b/t/t5551-http-fetch-smart.sh
@@ -181,7 +181,7 @@ test_expect_success 'clone from password
echo two >expect &&
set_askpass user@host pass@host &&
git clone --bare "$HTTPD_URL/auth/smart/repo.git" smart-auth &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
git --git-dir=smart-auth log -1 --format=%s >actual &&
test_cmp expect actual
'
@@ -199,7 +199,7 @@ test_expect_success 'clone from auth-onl
echo two >expect &&
set_askpass user@host pass@host &&
git clone --bare "$HTTPD_URL/auth-fetch/smart/repo.git" half-auth &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
git --git-dir=half-auth log -1 --format=%s >actual &&
test_cmp expect actual
'
@@ -224,14 +224,14 @@ test_expect_success 'redirects send auth
set_askpass user@host pass@host &&
git -c credential.useHttpPath=true \
clone $HTTPD_URL/smart-redir-auth/repo.git repo-redir-auth &&
- expect_askpass both user@host auth/smart/repo.git
+ expect_askpass both user%40host auth/smart/repo.git
'
test_expect_success 'GIT_TRACE_CURL redacts auth details' '
rm -rf redact-auth trace &&
set_askpass user@host pass@host &&
GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
# Ensure that there is no "Basic" followed by a base64 string, but that
# the auth details are redacted
@@ -243,7 +243,7 @@ test_expect_success 'GIT_CURL_VERBOSE re
rm -rf redact-auth trace &&
set_askpass user@host pass@host &&
GIT_CURL_VERBOSE=1 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth 2>trace &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
# Ensure that there is no "Basic" followed by a base64 string, but that
# the auth details are redacted
@@ -256,7 +256,7 @@ test_expect_success 'GIT_TRACE_CURL does
set_askpass user@host pass@host &&
GIT_TRACE_REDACT=0 GIT_TRACE_CURL="$(pwd)/trace" \
git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
grep -i "Authorization: Basic [0-9a-zA-Z+/]" trace
'
@@ -570,7 +570,7 @@ test_expect_success 'http auth remembers
# the first request prompts the user...
set_askpass user@host pass@host &&
git ls-remote "$HTTPD_URL/auth/smart/repo.git" >/dev/null &&
- expect_askpass both user@host &&
+ expect_askpass both user%40host &&
# ...and the second one uses the stored value rather than
# prompting the user.
@@ -601,7 +601,7 @@ test_expect_success 'http auth forgets b
# us to prompt the user again.
set_askpass user@host pass@host &&
git ls-remote "$HTTPD_URL/auth/smart/repo.git" >/dev/null &&
- expect_askpass both user@host
+ expect_askpass both user%40host
'
test_expect_success 'client falls back from v2 to v0 to match server' '

193
CVE-2024-52006.patch Normal file
View File

@@ -0,0 +1,193 @@
From b01b9b81d36759cdcd07305e78765199e1bc2060 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Mon, 4 Nov 2024 14:48:22 +0100
Subject: [PATCH] credential: disallow Carriage Returns in the protocol by
default
While Git has documented that the credential protocol is line-based,
with newlines as terminators, the exact shape of a newline has not been
documented.
From Git's perspective, which is firmly rooted in the Linux ecosystem,
it is clear that "a newline" means a Line Feed character.
However, even Git's credential protocol respects Windows line endings
(a Carriage Return character followed by a Line Feed character, "CR/LF")
by virtue of using `strbuf_getline()`.
There is a third category of line endings that has been used originally
by MacOS, and that is respected by the default line readers of .NET and
node.js: bare Carriage Returns.
Git cannot handle those, and what is worse: Git's remedy against
CVE-2020-5260 does not catch when credential helpers are used that
interpret bare Carriage Returns as newlines.
Git Credential Manager addressed this as CVE-2024-50338, but other
credential helpers may still be vulnerable. So let's not only disallow
Line Feed characters as part of the values in the credential protocol,
but also disallow Carriage Return characters.
In the unlikely event that a credential helper relies on Carriage
Returns in the protocol, introduce an escape hatch via the
`credential.protectProtocol` config setting.
This addresses CVE-2024-52006.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
Documentation/config/credential.txt | 5 +++++
credential.c | 21 ++++++++++++++-------
credential.h | 4 +++-
t/t0300-credentials.sh | 16 ++++++++++++++++
4 files changed, 38 insertions(+), 8 deletions(-)
Index: b/Documentation/config/credential.txt
===================================================================
--- a/Documentation/config/credential.txt
+++ b/Documentation/config/credential.txt
@@ -20,6 +20,11 @@ credential.sanitizePrompt::
will be URL-encoded by default). Configure this setting to `false` to
override that behavior.
+credential.protectProtocol::
+ By default, Carriage Return characters are not allowed in the protocol
+ that is used when Git talks to a credential helper. This setting allows
+ users to override this default.
+
credential.username::
If no username is set for a network authentication, use this username
by default. See credential.<context>.* below, and
Index: b/credential.c
===================================================================
--- a/credential.c
+++ b/credential.c
@@ -127,6 +127,8 @@ static int credential_config_callback(co
c->use_http_path = git_config_bool(var, value);
else if (!strcmp(key, "sanitizeprompt"))
c->sanitize_prompt = git_config_bool(var, value);
+ else if (!strcmp(key, "protectprotocol"))
+ c->protect_protocol = git_config_bool(var, value);
return 0;
}
@@ -361,7 +363,8 @@ int credential_read(struct credential *c
return 0;
}
-static void credential_write_item(FILE *fp, const char *key, const char *value,
+static void credential_write_item(const struct credential *c,
+ FILE *fp, const char *key, const char *value,
int required)
{
if (!value && required)
@@ -370,6 +373,10 @@ static void credential_write_item(FILE *
return;
if (strchr(value, '\n'))
die("credential value for %s contains newline", key);
+ if (c->protect_protocol && strchr(value, '\r'))
+ die("credential value for %s contains carriage return\n"
+ "If this is intended, set `credential.protectProtocol=false`",
+ key);
fprintf(fp, "%s=%s\n", key, value);
}
@@ -377,34 +384,34 @@ void credential_write(const struct crede
enum credential_op_type op_type)
{
if (credential_has_capability(&c->capa_authtype, op_type))
- credential_write_item(fp, "capability[]", "authtype", 0);
+ credential_write_item(c, fp, "capability[]", "authtype", 0);
if (credential_has_capability(&c->capa_state, op_type))
- credential_write_item(fp, "capability[]", "state", 0);
+ credential_write_item(c, fp, "capability[]", "state", 0);
if (credential_has_capability(&c->capa_authtype, op_type)) {
- credential_write_item(fp, "authtype", c->authtype, 0);
- credential_write_item(fp, "credential", c->credential, 0);
+ credential_write_item(c, fp, "authtype", c->authtype, 0);
+ credential_write_item(c, fp, "credential", c->credential, 0);
if (c->ephemeral)
- credential_write_item(fp, "ephemeral", "1", 0);
+ credential_write_item(c, fp, "ephemeral", "1", 0);
}
- credential_write_item(fp, "protocol", c->protocol, 1);
- credential_write_item(fp, "host", c->host, 1);
- credential_write_item(fp, "path", c->path, 0);
- credential_write_item(fp, "username", c->username, 0);
- credential_write_item(fp, "password", c->password, 0);
- credential_write_item(fp, "oauth_refresh_token", c->oauth_refresh_token, 0);
+ credential_write_item(c, fp, "protocol", c->protocol, 1);
+ credential_write_item(c, fp, "host", c->host, 1);
+ credential_write_item(c, fp, "path", c->path, 0);
+ credential_write_item(c, fp, "username", c->username, 0);
+ credential_write_item(c, fp, "password", c->password, 0);
+ credential_write_item(c, fp, "oauth_refresh_token", c->oauth_refresh_token, 0);
if (c->password_expiry_utc != TIME_MAX) {
char *s = xstrfmt("%"PRItime, c->password_expiry_utc);
- credential_write_item(fp, "password_expiry_utc", s, 0);
+ credential_write_item(c, fp, "password_expiry_utc", s, 0);
free(s);
}
for (size_t i = 0; i < c->wwwauth_headers.nr; i++)
- credential_write_item(fp, "wwwauth[]", c->wwwauth_headers.v[i], 0);
+ credential_write_item(c, fp, "wwwauth[]", c->wwwauth_headers.v[i], 0);
if (credential_has_capability(&c->capa_state, op_type)) {
if (c->multistage)
- credential_write_item(fp, "continue", "1", 0);
+ credential_write_item(c, fp, "continue", "1", 0);
for (size_t i = 0; i < c->state_headers_to_send.nr; i++)
- credential_write_item(fp, "state[]", c->state_headers_to_send.v[i], 0);
+ credential_write_item(c, fp, "state[]", c->state_headers_to_send.v[i], 0);
}
}
Index: b/credential.h
===================================================================
--- a/credential.h
+++ b/credential.h
@@ -169,7 +169,8 @@ struct credential {
quit:1,
use_http_path:1,
username_from_proto:1,
- sanitize_prompt:1;
+ sanitize_prompt:1,
+ protect_protocol:1;
struct credential_capability capa_authtype;
struct credential_capability capa_state;
@@ -197,6 +198,7 @@ struct credential {
.state_headers = STRVEC_INIT, \
.state_headers_to_send = STRVEC_INIT, \
.sanitize_prompt = 1, \
+ .protect_protocol = 1, \
}
/* Initialize a credential structure, setting all fields to empty. */
Index: b/t/t0300-credentials.sh
===================================================================
--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
@@ -903,6 +903,22 @@ test_expect_success 'url parser rejects
test_cmp expect stderr
'
+test_expect_success 'url parser rejects embedded carriage returns' '
+ test_config credential.helper "!true" &&
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ url=https://example%0d.com/
+ EOF
+ cat >expect <<-\EOF &&
+ fatal: credential value for host contains carriage return
+ If this is intended, set `credential.protectProtocol=false`
+ EOF
+ test_cmp expect stderr &&
+ GIT_ASKPASS=true \
+ git -c credential.protectProtocol=false credential fill <<-\EOF
+ url=https://example%0d.com/
+ EOF
+'
+
test_expect_success 'host-less URLs are parsed as empty host' '
check fill "verbatim foo bar" <<-\EOF
url=cert:///path/to/cert.pem

BIN
git-2.46.1.tar.sign Normal file
View File

Binary file not shown.

BIN
git-2.46.1.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
git-2.50.0.tar.sign
View File

Binary file not shown.

3
git-2.50.0.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dff3c000e400ace3a63b8a6f8b3b76b88ecfdffd4504a04aba4248372cdec045
size 7878256

20
git-asciidoc.patch
View File

@@ -1,17 +1,17 @@
---
Documentation/asciidoc.conf.in | 2 ++
Documentation/asciidoc.conf | 2 ++
1 file changed, 2 insertions(+)
Index: git-2.48.0/Documentation/asciidoc.conf.in
Index: git-2.11.0/Documentation/asciidoc.conf
===================================================================
--- git-2.48.0.orig/Documentation/asciidoc.conf.in
+++ git-2.48.0/Documentation/asciidoc.conf.in
@@ -24,6 +24,8 @@ litdd=&#45;&#45;
manmanual=Git Manual
mansource=Git @GIT_VERSION@
revdate=@GIT_DATE@
--- git-2.11.0.orig/Documentation/asciidoc.conf
+++ git-2.11.0/Documentation/asciidoc.conf
@@ -21,6 +21,8 @@ tilde=&#126;
apostrophe=&#39;
backtick=&#96;
litdd=&#45;&#45;
+# drops the "last-updated" footer, with asciidoc-8.6.9+
+footer-style=none
ifdef::doctype-book[]
[titles]
ifdef::backend-docbook[]
[linkgit-inlinemacro]

135
git.changes
View File

@@ -1,133 +1,12 @@
-------------------------------------------------------------------
Tue Jun 17 17:55:40 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
Thu Jan 16 22:29:07 UTC 2025 - Antonio Teixeira <antonio.teixeira@suse.com>
- update to 2.50.0
https://about.gitlab.com/blog/what-s-new-in-git-2-50-0/
https://raw.githubusercontent.com/git/git/refs/tags/v2.50.0/Documentation/RelNotes/2.50.0.adoc
-------------------------------------------------------------------
Fri Jun 13 15:50:22 UTC 2025 - Takashi Iwai <tiwai@suse.com>
- Refresh gitk SHA256 patch and add SHA256 support to git-gui (bsc#1239989):
0001-gitk-Add-support-of-SHA256-repo.patch
0002-git-gui-Add-support-of-SHA256-repo.patch
The previous patches are dropped:
0001-gitk-Add-a-basic-support-of-SHA256-repositories-into.patch
0002-gitk-Add-auto-select-length-preference-for-SHA256.patch
-------------------------------------------------------------------
Mon Mar 24 14:04:56 UTC 2025 - Takashi Iwai <tiwai@suse.com>
- Add support of SHA256 git repo for gitk (bsc#1239989):
0001-gitk-Add-a-basic-support-of-SHA256-repositories-into.patch
0002-gitk-Add-auto-select-length-preference-for-SHA256.patch
-------------------------------------------------------------------
Fri Mar 14 23:43:43 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- update to 2.49.0
https://about.gitlab.com/blog/2025/03/14/whats-new-in-git-2-49-0/
https://raw.githubusercontent.com/git/git/refs/tags/v2.49.0/Documentation/RelNotes/2.49.0.adoc
- switch to zlib-ng for code 16
- docs switched to asciidoc
-------------------------------------------------------------------
Tue Jan 14 21:45:04 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 2.48.1: (boo#1235600 boo#1235601)
* CVE-2024-50349, CVE-2024-52006:
refuse to accept URLs that contain control sequences
-------------------------------------------------------------------
Mon Jan 13 20:00:00 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 2.48.0
* Reference consistency checks: git refs verify
* Reflogs can now be migrated with git refs migrate
* git is free of memory leaks as covered by the test suite
* Performance improvements
* Other improvements, UI changes, options extensions and largely
compatible behavior changes as listed in
https://raw.githubusercontent.com/git/git/refs/tags/v2.48.0/Documentation/RelNotes/2.48.0.txt
-------------------------------------------------------------------
Mon Nov 25 10:58:31 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 2.47.1:
* Use after free and double freeing at the end in
"git log -L... -p" had been identified and fixed.
* "git maintenance start" crashed due to an uninitialized
variable reference, which has been corrected.
* Fail gracefully instead of crashing when attempting to write
the contents of a corrupt in-core index as a tree object.
* A "git fetch" from the superproject going down to a submodule
used a wrong remote when the default remote names are set
differently between them.
* The "gitk" project tree has been synchronized again
-------------------------------------------------------------------
Wed Oct 9 10:34:12 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 2.47.0:
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.txt
* Many Porcelain commands that internally use the merge machinery
were taught to consistently honor the diff.algorithm
configuration.
* A few descriptions in "git show-ref -h" have been clarified.
* A 'P' command to "git add -p" that passes the patch hunk to the
pager has been added.
* "git grep -W" omits blank lines that follow the found function at
the end of the file, just like it omits blank lines before the next
function.
* The value of http.proxy can have "path" at the end for a socks
proxy that listens to a unix-domain socket, but we started to
discard it when we taught proxy auth code path to use the
credential helpers, which has been corrected.
* The code paths to compact multiple reftable files have been updated
to correctly deal with multiple compaction triggering at the same
time.
* Support to specify ref backend for submodules has been enhanced.
* "git svn" has been taught about svn:global-ignores property
recent versions of Subversion has.
* The default object hash and ref backend format used to be settable
only with explicit command line option to "git init" and
environment variables, but now they can be configured in the user's
global and system wide configuration.
* "git send-email" learned "--translate-aliases" option that reads
addresses from the standard input and emits the result of applying
aliases on them to the standard output.
* 'git for-each-ref' learned a new "--format" atom to find the branch
that the history leading to a given commit "%(is-base:<commit>)" is
likely based on.
* The command line prompt support used to be littered with bash-isms,
which has been corrected to work with more shells.
* Support for the RUNTIME_PREFIX feature has been added to z/OS port.
* "git send-email" learned "--mailmap" option to allow rewriting the
recipient addresses.
* "git mergetool" learned to use VSCode as a merge backend.
* "git pack-redundant" has been marked for removal in Git 3.0.
* One-line messages to "die" and other helper functions will get LF
added by these helper functions, but many existing messages had an
unnecessary LF at the end, which have been corrected.
* The "scalar clone" command learned the "--no-tags" option.
* The environment GIT_ADVICE has been intentionally kept undocumented
to discourage its use by interactive users. Add documentation to
help tool writers.
* "git apply --3way" learned to take "--ours" and other options.
-------------------------------------------------------------------
Mon Oct 7 12:01:19 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
- Update to version 2.46.2:
* Revert the "git patch-id" change that went into 2.46.1,
as it seems to have got a regression reported (I haven't verified,
but it is better to keep a known breakage than adding an unintended
regression).
* In a few corner cases "git diff --exit-code" failed to report
"changes" (e.g., renamed without any content change), which has
been corrected.
* The interpret-trailers command failed to recognise the end of the
message when the commit log ends in an incomplete line.
- Add CVE-2024-50349-1.patch, CVE-2024-50349-2.patch
* CVE-2024-50349: passwords for trusted sites could be sent to untrusted
sites (bsc#1235600)
- Add CVE-2024-52006.patch
* CVE-2024-52006: Carriage Returns via the credential protocol to credential
helpers (bsc#1235601)
-------------------------------------------------------------------
Fri Sep 20 08:18:30 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>

26
git.spec
View File

@@ -1,8 +1,8 @@
#
# spec file for package git
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -43,7 +43,7 @@
%bcond_with asciidoctor
%endif
Name: git
Version: 2.50.0
Version: 2.46.1
Release: 0
Summary: Fast, scalable, distributed revision control system
License: GPL-2.0-only
@@ -70,9 +70,13 @@ Patch8: git-asciidoc.patch
Patch10: setup-don-t-fail-if-commondir-reference-is-deleted.patch
# PATCH-FIX-OPENSUSE CVE-2024-24577.patch boo#1219660 antonio.teixeira@suse.com
Patch11: CVE-2024-24577.patch
# Add SHA256 support for gitk and git-gui (bsc#1239989)
Patch20: 0001-gitk-Add-support-of-SHA256-repo.patch
Patch21: 0002-git-gui-Add-support-of-SHA256-repo.patch
# PATCH-FIX-UPSTREAM antonio.teixeira@suse.com bsc#1235600
# passwords for trusted sites could be sent to untrusted sites
Patch12: CVE-2024-50349-1.patch
Patch13: CVE-2024-50349-2.patch
# PATCH-FIX-UPSTREAM antonio.teixeira@suse.com bsc#1235601
# Carriage Returns via the credential protocol to credential helpers
Patch14: CVE-2024-52006.patch
BuildRequires: fdupes
BuildRequires: gpg2
BuildRequires: libcurl-devel
@@ -89,11 +93,7 @@ BuildRequires: systemd-rpm-macros
BuildRequires: tcsh
BuildRequires: update-desktop-files
BuildRequires: xz
%if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(zlib-ng)
%else
BuildRequires: pkgconfig(zlib)
%endif
Requires: git-core = %{version}
Requires: perl-Git = %{version}
Recommends: git-email
@@ -441,9 +441,9 @@ if ! test -f %{buildroot}%{gitexecdir}/git-add; then
fi
mkdir -p "%{buildroot}/%{_docdir}/git" "%{buildroot}/%{_docdir}/git/howto" "%{buildroot}/%{_docdir}/git/technical"
cp -a README.md Documentation/*.adoc "%{buildroot}/%{_docdir}/git/"
cp -a Documentation/howto/*.adoc "%{buildroot}/%{_docdir}/git/howto/"
cp -a Documentation/technical/*.adoc "%{buildroot}/%{_docdir}/git/technical/"
cp -a README.md Documentation/*.txt "%{buildroot}/%{_docdir}/git/"
cp -a Documentation/howto/*.txt "%{buildroot}/%{_docdir}/git/howto/"
cp -a Documentation/technical/*.txt "%{buildroot}/%{_docdir}/git/technical/"
%{!?_without_docs: cp -a Documentation/*.html "%{buildroot}/%{_docdir}/git/"}
%{!?_without_docs: cp -a Documentation/howto/*.html "%{buildroot}/%{_docdir}/git/howto/"}
%{!?_without_docs: cp -a Documentation/technical/*.html "%{buildroot}/%{_docdir}/git/technical/"}