From 6b8915c67b7beb53d9fe166b864123d7445f056faa9eafb6ef872c5604f0a5ea Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 15 Apr 2022 22:14:08 +0000 Subject: [PATCH] Accepting request 970347 from devel:tools:scm - git 2.35.3: * usability fix-up for CVE-2022-24765 bsc#1198234: '*' can be used as the value for the `safe.directory` variable to signal that the user considers that any directory is safe. * The code that was meant to parse the new `safe.directory` configuration variable was not checking what configuration variable was being fed to it - Require bash in git-daemon because the service file uses it - Reword git-daemon.service description to get a useful sentence in journalctl -b - git 2.35.2 (CVE-2022-24765, bsc#1198234): * CVE-2022-24765: git may execute commands defined by other users from unexpected worktrees - Require nogroup group for %pre (bsc#1192023) OBS-URL: https://build.opensuse.org/request/show/970347 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=276 --- git-2.35.1.tar.sign | Bin 566 -> 0 bytes git-2.35.1.tar.xz | 3 --- git-2.35.3.tar.sign | Bin 0 -> 566 bytes git-2.35.3.tar.xz | 3 +++ git-daemon.service | 2 +- git.changes | 26 ++++++++++++++++++++++++++ git.spec | 3 ++- 7 files changed, 32 insertions(+), 5 deletions(-) delete mode 100644 git-2.35.1.tar.sign delete mode 100644 git-2.35.1.tar.xz create mode 100644 git-2.35.3.tar.sign create mode 100644 git-2.35.3.tar.xz diff --git a/git-2.35.1.tar.sign b/git-2.35.1.tar.sign deleted file mode 100644 index 446257882daffe63d61f4afb63d8b02348b3958f3d02abe56ec4a0335a8f2c1f..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j-T@HVmj=OQ1+c8&7kr}>_TW)%BXMrVz zT?j$d!k2MHqSJp&0OC5AnX_^o(FeUM9CylCi(0jbt3`EK~RBDLK>)=3cqu*c4yQRFnG4a7xq_`(bHV z2FdCnQk6k^upt0att7hd2?iI3N=y2gWy_CRUkyAEpY!esm^NM|a;19C)9tMcwn~pl z-cL#IMkukcEuAw&ly!c(t}ca8#_L52SE&C%nBE|l-HdqpL)KB&rtRr*NbvTQ8nOf+ zInaZ?p~#FHUw#C+KBIY#c=p&y3$vD8eScKWDZyjy=Vaub|LuvY`$Q?6B`=Bqkotx( z&{DkC8^bFaJeoHcYx9Kl>P5O9(P-KSK#0zcSPpE8`F`-B78>fwS?n4m)V|+dM?Z%E zcnLK=Lq_nEg(NYu+geie^u>@j*S3*OpXC~OKHx=#dfiNtmwmNe_Sf|>Jq9rF*}Ml0>Myv_=;Y#wh->rr%X_MS1{54ML5;|x-1 zak;KmY&$ diff --git a/git-2.35.1.tar.xz b/git-2.35.1.tar.xz deleted file mode 100644 index 63593a4..0000000 --- a/git-2.35.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d768528e6443f65a203036266f1ca50f9d127ba89751e32ead37117ed9191080 -size 6874520 diff --git a/git-2.35.3.tar.sign b/git-2.35.3.tar.sign new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..4d19159551911cc234ed84f5d71051f2f19dc81a2e9ed3ee43745b39ecad306c GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-T@HVmj=OQ1+cInn8;1 zIK*Jns#p3rCMWyOY}CJ>lHOCfqin@oNg{O>*y?JbZQ7kvB*QhU_;LoKZq(;1`yfhK9|H5y zf?J@(F4_=n^*ALeiujP^RM{Aib}L04o3E^&#SoUdd{XCaq$l)o!=E)$cuO6xUgvk&E9NoRDpt1ar$10_KTWnX3F zWNSRkvt;z@L<{R_%Xgfl8}dsb76gQmniyN@Rh#D~^5W$cXYNu*Sb_*JUCOoz&fx_s zD&`RiSsKMTh+#Q27}y$WP-@Lh#V=7QeqV42(~9omS^%(^zYNq0iyx@= z(Ovf>f1JlKg$#R3-_TnG_T^E9xiz#@0)(RR=AHf~_KQ0zq{-gZflz;DbO4nH%mo$h|b1PM6;1gL5+3dFJ2{li$_Q-adDsG+cRx%fuR EOKV~q>;M1& literal 0 HcmV?d00001 diff --git a/git-2.35.3.tar.xz b/git-2.35.3.tar.xz new file mode 100644 index 0000000..0cb719e --- /dev/null +++ b/git-2.35.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:15e9db4f9bf2ed9fff30cb62a00c5c7c0901015f5ab048cdb4e8b04ddee00fa2 +size 6876328 diff --git a/git-daemon.service b/git-daemon.service index e8f257b..1ba6f96 100644 --- a/git-daemon.service +++ b/git-daemon.service @@ -1,5 +1,5 @@ [Unit] -Description=Start Git Daemon +Description=Git Daemon [Service] # added automatically, for details please see diff --git a/git.changes b/git.changes index 6828172..5edb1c7 100644 --- a/git.changes +++ b/git.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu Apr 14 06:01:19 UTC 2022 - Andreas Stieger + +- git 2.35.3: + * usability fix-up for CVE-2022-24765 bsc#1198234: + '*' can be used as the value for the `safe.directory` variable + to signal that the user considers that any directory is safe. + * The code that was meant to parse the new `safe.directory` + configuration variable was not checking what configuration + variable was being fed to it + +------------------------------------------------------------------- +Wed Apr 13 13:13:13 UTC 2022 - olaf@aepfle.de + +- Require bash in git-daemon because the service file uses it +- Reword git-daemon.service description to get a useful sentence + in journalctl -b + +------------------------------------------------------------------- +Tue Apr 12 17:56:41 UTC 2022 - Andreas Stieger + +- git 2.35.2 (CVE-2022-24765, bsc#1198234): + * CVE-2022-24765: git may execute commands defined by other users + from unexpected worktrees + ------------------------------------------------------------------- Thu Mar 10 15:16:47 UTC 2022 - chris@computersalat.de @@ -114,6 +139,7 @@ Wed Oct 20 16:32:02 UTC 2021 - Callum Farmer - Add CONFIG parameter to %sysusers_generate_pre - Remove unneeded SHELL in git-daemon.conf - Fix sysusers usage in spec file +- Require nogroup group for %pre (bsc#1192023) ------------------------------------------------------------------- Wed Oct 13 18:09:43 UTC 2021 - Andreas Stieger diff --git a/git.spec b/git.spec index 832435a..0fb955a 100644 --- a/git.spec +++ b/git.spec @@ -36,7 +36,7 @@ %bcond_with asciidoctor %endif Name: git -Version: 2.35.1 +Version: 2.35.3 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0-only @@ -246,6 +246,7 @@ Email interface for the GIT version control system. %package daemon Summary: Simple Server for Git Repositories Group: Development/Tools/Version Control +Requires: bash Requires: git-core = %{version} Requires(pre): %fillup_prereq %if 0%{?suse_version} >= 1500