Accepting request 1109413 from devel:languages:python

- Add CVE-2023-41040.patch to fix directory traversal attack
  vulnerability gh#gitpython-developers/GitPython#1644
  bsc#1214810

- Update _service to use manualrun, disabledrun is deprecated now.
- Update to version 3.1.34.1693646983.2a2ae77:
  * prepare patch release
  * util: close lockfile after opening successfully
  * update instructions for how to create a release
  * prepare for next release
  * Skip now permanently failing test with note on how to fix it
  * Don't check form of version number
  * Add a unit test for CVE-2023-40590
  * Fix CVE-2023-40590
  * feat: full typing for "progress" parameter
  * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue
  * Disable merge_includes in config writers
  * Apply straight-forward typing fixes
  * Add missing type annotation
  * Run black and exclude submodule
  * Allow explicit casting even when slightly redundant
  * Ignore remaining [unreachable] type errors
  * Define supported version for mypy
  * Do not typecheck submodule
  * typo
  * added more resources section
  * generic hash
  * redundant code cell
  * redundant line
  * fixed tabbing

OBS-URL: https://build.opensuse.org/request/show/1109413
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-GitPython?expand=0&rev=29

CVE-2023-41040.patch

@@ -0,0 +1,53 @@
+diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
+index 33c3bf15b..5c293aa7b 100644
+--- a/git/refs/symbolic.py
++++ b/git/refs/symbolic.py
+@@ -168,6 +168,8 @@ def _get_ref_info_helper(
+         """Return: (str(sha), str(target_ref_path)) if available, the sha the file at
+         rela_path points to, or None. target_ref_path is the reference we
+         point to, or None"""
++        if ".." in str(ref_path):
++            raise ValueError(f"Invalid reference '{ref_path}'")
+         tokens: Union[None, List[str], Tuple[str, str]] = None
+         repodir = _git_dir(repo, ref_path)
+         try:
+diff --git a/test/test_refs.py b/test/test_refs.py
+index 4c421767e..e7526c3b2 100644
+--- a/test/test_refs.py
++++ b/test/test_refs.py
+@@ -5,6 +5,7 @@
+ # the BSD License: http://www.opensource.org/licenses/bsd-license.php
+ 
+ from itertools import chain
++from pathlib import Path
+ 
+ from git import (
+     Reference,
+@@ -20,9 +21,11 @@
+ from git.objects.tag import TagObject
+ from test.lib import TestBase, with_rw_repo
+ from git.util import Actor
++from gitdb.exc import BadName
+ 
+ import git.refs as refs
+ import os.path as osp
++import tempfile
+ 
+ 
+ class TestRefs(TestBase):
+@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
+ 
+     def test_reflog(self):
+         assert isinstance(self.rorepo.heads.master.log(), RefLog)
++
++    def test_refs_outside_repo(self):
++        # Create a file containing a valid reference outside the repository. Attempting
++        # to access it should raise an exception, due to it containing a parent directory
++        # reference ('..'). This tests for CVE-2023-41040.
++        git_dir = Path(self.rorepo.git_dir)
++        repo_parent_dir = git_dir.parent.parent
++        with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
++            ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
++            ref_file.flush()
++            ref_file_name = Path(ref_file.name).name
++            self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")

_service

@@ -1,16 +1,16 @@
 <services>
-  <service name="tar_scm" mode="disabled">
-    <param name="versionprefix">3.1.32</param>
+  <service name="tar_scm" mode="manual">
+    <param name="versionprefix">3.1.34</param>
     <param name="url">https://github.com/gitpython-developers/GitPython</param>
     <param name="scm">git</param>
     <param name="package-meta">yes</param>
     <param name="changesgenerate">enable</param>
     <param name="submodules">enable</param>
-    <param name="revision">3.1.32</param>
+    <param name="revision">3.1.34</param>
   </service>
-  <service name="recompress" mode="disabled">
+  <service name="recompress" mode="manual">
     <param name="compression">xz</param>
     <param name="file">*.tar</param>
   </service>
-  <service name="set_version" mode="disabled"/>
+  <service name="set_version" mode="manual"/>
 </services>

_servicedata

@@ -3,4 +3,4 @@
                 <param name="url">git://github.com/gitpython-developers/GitPython</param>
               <param name="changesrevision">f653af66e4c9461579ec44db50e113facf61e2d3</param></service><service name="tar_scm">
                 <param name="url">https://github.com/gitpython-developers/GitPython</param>
-              <param name="changesrevision">5d45ce243a12669724e969442e6725a894e30fd4</param></service></servicedata>
+              <param name="changesrevision">2a2ae776825f249a3bb7efd9b08650486226b027</param></service></servicedata>

python-GitPython.changes

@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Sep  5 08:30:24 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2023-41040.patch to fix directory traversal attack
+  vulnerability gh#gitpython-developers/GitPython#1644
+  bsc#1214810
+
+-------------------------------------------------------------------
+Tue Sep 05 06:34:12 UTC 2023 - daniel.garcia@suse.com
+
+- Update _service to use manualrun, disabledrun is deprecated now.
+- Update to version 3.1.34.1693646983.2a2ae77:
+  * prepare patch release
+  * util: close lockfile after opening successfully
+  * update instructions for how to create a release
+  * prepare for next release
+  * Skip now permanently failing test with note on how to fix it
+  * Don't check form of version number
+  * Add a unit test for CVE-2023-40590
+  * Fix CVE-2023-40590
+  * feat: full typing for "progress" parameter
+  * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue
+  * Disable merge_includes in config writers
+  * Apply straight-forward typing fixes
+  * Add missing type annotation
+  * Run black and exclude submodule
+  * Allow explicit casting even when slightly redundant
+  * Ignore remaining [unreachable] type errors
+  * Define supported version for mypy
+  * Do not typecheck submodule
+  * typo
+  * added more resources section
+  * generic hash
+  * redundant code cell
+  * redundant line
+  * fixed tabbing
+  * tabbed all code-blocks
+  * added new section for diffs and formatting
+  * formatting wip
+  * change to formatting - removed = bash cmds
+  * Added new section to print prev file
+  * WIP major changes to structure to improve readability
+  * Removed all reference to source code
+  * Updated generic sha hash
+  * Added warning about index add
+  * Made trees and blobs the first section
+  * refactored print git tree
+  * clarified comment
+  * draft of description
+  * replaced hash with generic
+  * replaced output cell to generic commit ID
+  * removed unnecessary variables
+  * convert from --all flag to all=True
+  * correct way to get the latest commit tree
+  * removed try/except and updated sample url
+  * Updated the sample repo URL
+  * Made variable names more intuitive
+  * try to fix CI by making it deal with tags forcefully.
+  * Removed code from RST
+  * added quickstart to toctree to fix sphinx warning
+  * added quickstart to toctree and fixed sphinx warning
+  * fixed some indentation
+  * finished code for quickstart
+  * finished code for quickstart
+  * Finishing touches for Repo quickstart
+  * Added git clone & git add
+  * Made the init repo section of quickdoc
+
 -------------------------------------------------------------------
 Mon Aug 21 04:36:14 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
 

python-GitPython.spec

@@ -17,10 +17,10 @@
 
 
 %define skip_python2 1
-%define simple_ver 3.1.32
+%define simple_ver 3.1.34
 %{?sle15_python_module_pythons}
 Name:           python-GitPython
-Version:        3.1.32.1689011721.5d45ce2
+Version:        3.1.34.1693646983.2a2ae77
 Release:        0
 Summary:        Python Git Library
 License:        BSD-3-Clause
@@ -28,6 +28,8 @@ URL:            https://github.com/gitpython-developers/GitPython
 Source:         GitPython-%{version}.tar.xz
 Patch0:         test-skips.patch
 Patch1:         test_blocking_lock_file-extra-time.patch
+# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644
+Patch2:         CVE-2023-41040.patch
 BuildRequires:  %{python_module ddt >= 1.1.1}
 BuildRequires:  %{python_module gitdb >= 4.0.1}
 BuildRequires:  %{python_module pip}

test-skips.patch

@@ -5,8 +5,10 @@
  test/test_submodule.py |   19 +++++++++++--------
  4 files changed, 18 insertions(+), 10 deletions(-)
 
---- a/test/test_base.py
-+++ b/test/test_base.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_base.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
 @@ -109,7 +109,8 @@ class TestBase(_TestBase):
          assert osp.isdir(osp.join(rw_repo.working_tree_dir, "lib"))
          assert osp.isdir(rw_repo.working_dir)
@@ -17,8 +19,10 @@
      @with_rw_and_rw_remote_repo("0.1.6")
      def test_with_rw_remote_and_rw_repo(self, rw_repo, rw_remote_repo):
          assert not rw_repo.config_reader("repository").getboolean("core", "bare")
---- a/test/test_remote.py
-+++ b/test/test_remote.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_remote.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
 @@ -4,6 +4,7 @@
  # This module is part of GitPython and is released under
  # the BSD License: http://www.opensource.org/licenses/bsd-license.php
@@ -45,18 +49,22 @@
      def test_fetch_error(self):
          rem = self.rorepo.remote("origin")
          with self.assertRaisesRegex(GitCommandError, "[Cc]ouldn't find remote ref __BAD_REF__"):
---- a/test/test_repo.py
-+++ b/test/test_repo.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_repo.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
 @@ -250,6 +250,7 @@ class TestRepo(TestBase):
              except UnicodeEncodeError:
                  self.fail("Raised UnicodeEncodeError")
  
 +    @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'Gitlab connection error')
      @with_rw_directory
+     @skip("the referenced repository was removed, and one needs to setup a new password controlled repo under the orgs control")
      def test_leaking_password_in_clone_logs(self, rw_dir):
-         password = "fakepassword1234"
---- a/test/test_submodule.py
-+++ b/test/test_submodule.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_submodule.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
 @@ -453,14 +453,15 @@ class TestSubmodule(TestBase):
          reason="Cygwin GitPython can't find submodule SHA",
          raises=ValueError

test_blocking_lock_file-extra-time.patch

@@ -2,8 +2,10 @@
  test/test_util.py |    4 +---
  1 file changed, 1 insertion(+), 3 deletions(-)
 
---- a/test/test_util.py
-+++ b/test/test_util.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_util.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
 @@ -173,9 +173,7 @@ class TestUtils(TestBase):
          self.assertRaises(IOError, wait_lock._obtain_lock)
          elapsed = time.time() - start