Accepting request 515991 from devel:tools:scm

git 2.14.1 (bsc#1052481) CVE-2017-1000117 OBS-URL: https://build.opensuse.org/request/show/515991 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=202
2017-08-21 09:35:00 +00:00 · 2017-08-21 09:35:00 +00:00 · 069d918659
commit 069d918659
parent 8030e85820
6 changed files with 29 additions and 4 deletions
--- a/git-2.14.0.tar.sign
+++ b/git-2.14.0.tar.sign
--- a/git-2.14.0.tar.xz
+++ b/git-2.14.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f93e6e6a307d2e953cccafd9f4003c62992628fa508d07586476c953c1655975
-size 4790932
--- a/git-2.14.1.tar.sign
+++ b/git-2.14.1.tar.sign
--- a/git-2.14.1.tar.xz
+++ b/git-2.14.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6f724c6d0e9e13114ab35db6f67e1b2c1934b641e89366e6a0e37618231f2cc6
+size 4791876
--- a/git.changes
+++ b/git.changes
@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Thu Aug 10 19:19:07 UTC 2017 - astieger@suse.com
+
+- git 2.14.1 (bsc#1052481):
+  * Security fix for CVE-2017-1000117: A malicious third-party can
+    give a crafted "ssh://..." URL to an unsuspecting victim, and
+    an attempt to visit the URL can result in any program that
+    exists on the victim's machine being executed. Such a URL could
+    be placed in the .gitmodules file of a malicious project, and
+    an unsuspecting victim could be tricked into running
+    "git clone --recurse-submodules" to trigger the vulnerability.
+  * A "ssh://..." URL can result in a "ssh" command line with a
+    hostname that begins with a dash "-", which would cause the
+    "ssh" command to instead (mis)treat it as an option. This is
+    now prevented by forbidding such a hostname (which should not
+    impact any real-world usage).
+  * Similarly, when GIT_PROXY_COMMAND is configured, the command
+    is run with host and port that are parsed out from "ssh://..."
+    URL; a poorly written GIT_PROXY_COMMAND could be tricked into
+    treating a string that begins with a dash "-" as an option.
+    This is now prevented by forbidding such a hostname and port
+    number (again, which should not impact any real-world usage).
+  * In the same spirit, a repository name that begins with a dash
+    "-" is also forbidden now.
+
 -------------------------------------------------------------------
 Sat Aug  5 14:23:43 UTC 2017 - astieger@suse.com

--- a/git.spec
+++ b/git.spec
@ -26,7 +26,7 @@
 %endif

 Name:           git
-Version:        2.14.0
+Version:        2.14.1
 Release:        0
 Summary:        Fast, scalable, distributed revision control system
 License:        GPL-2.0