diff --git a/CVE-2023-41040.patch b/CVE-2023-41040.patch
new file mode 100644
index 0000000..ca42a94
--- /dev/null
+++ b/CVE-2023-41040.patch
@@ -0,0 +1,53 @@
+diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
+index 33c3bf15b..5c293aa7b 100644
+--- a/git/refs/symbolic.py
++++ b/git/refs/symbolic.py
+@@ -168,6 +168,8 @@ def _get_ref_info_helper(
+ """Return: (str(sha), str(target_ref_path)) if available, the sha the file at
+ rela_path points to, or None. target_ref_path is the reference we
+ point to, or None"""
++ if ".." in str(ref_path):
++ raise ValueError(f"Invalid reference '{ref_path}'")
+ tokens: Union[None, List[str], Tuple[str, str]] = None
+ repodir = _git_dir(repo, ref_path)
+ try:
+diff --git a/test/test_refs.py b/test/test_refs.py
+index 4c421767e..e7526c3b2 100644
+--- a/test/test_refs.py
++++ b/test/test_refs.py
+@@ -5,6 +5,7 @@
+ # the BSD License: http://www.opensource.org/licenses/bsd-license.php
+
+ from itertools import chain
++from pathlib import Path
+
+ from git import (
+ Reference,
+@@ -20,9 +21,11 @@
+ from git.objects.tag import TagObject
+ from test.lib import TestBase, with_rw_repo
+ from git.util import Actor
++from gitdb.exc import BadName
+
+ import git.refs as refs
+ import os.path as osp
++import tempfile
+
+
+ class TestRefs(TestBase):
+@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
+
+ def test_reflog(self):
+ assert isinstance(self.rorepo.heads.master.log(), RefLog)
++
++ def test_refs_outside_repo(self):
++ # Create a file containing a valid reference outside the repository. Attempting
++ # to access it should raise an exception, due to it containing a parent directory
++ # reference ('..'). This tests for CVE-2023-41040.
++ git_dir = Path(self.rorepo.git_dir)
++ repo_parent_dir = git_dir.parent.parent
++ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
++ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
++ ref_file.flush()
++ ref_file_name = Path(ref_file.name).name
++ self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")
diff --git a/GitPython-3.1.32.1689011721.5d45ce2.tar.xz b/GitPython-3.1.32.1689011721.5d45ce2.tar.xz
deleted file mode 100644
index 4e1e7bb..0000000
--- a/GitPython-3.1.32.1689011721.5d45ce2.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:48a4626be078b648f710c7c820e926a7572557b531350d63799648242bd21bcc
-size 4124684
diff --git a/GitPython-3.1.34.1693646983.2a2ae77.tar.xz b/GitPython-3.1.34.1693646983.2a2ae77.tar.xz
new file mode 100644
index 0000000..c42da27
--- /dev/null
+++ b/GitPython-3.1.34.1693646983.2a2ae77.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3a90b254fab862c6f63418b5f3181e298ee349e4f48891388eeaaa4c7135f254
+size 4053852
diff --git a/_service b/_service
index 541ce7c..e16a419 100644
--- a/_service
+++ b/_service
@@ -1,16 +1,16 @@
-
- 3.1.32
+
+ 3.1.34
https://github.com/gitpython-developers/GitPython
git
yes
enable
enable
- 3.1.32
+ 3.1.34
-
+
xz
*.tar
-
+
diff --git a/_servicedata b/_servicedata
index 84f68dd..e1dbb60 100644
--- a/_servicedata
+++ b/_servicedata
@@ -3,4 +3,4 @@
git://github.com/gitpython-developers/GitPython
f653af66e4c9461579ec44db50e113facf61e2d3
https://github.com/gitpython-developers/GitPython
- 5d45ce243a12669724e969442e6725a894e30fd4
\ No newline at end of file
+ 2a2ae776825f249a3bb7efd9b08650486226b027
\ No newline at end of file
diff --git a/python-GitPython.changes b/python-GitPython.changes
index cff99cd..2befab7 100644
--- a/python-GitPython.changes
+++ b/python-GitPython.changes
@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Sep 5 08:30:24 UTC 2023 - Daniel Garcia
+
+- Add CVE-2023-41040.patch to fix directory traversal attack
+ vulnerability gh#gitpython-developers/GitPython#1644
+ bsc#1214810
+
+-------------------------------------------------------------------
+Tue Sep 05 06:34:12 UTC 2023 - daniel.garcia@suse.com
+
+- Update _service to use manualrun, disabledrun is deprecated now.
+- Update to version 3.1.34.1693646983.2a2ae77:
+ * prepare patch release
+ * util: close lockfile after opening successfully
+ * update instructions for how to create a release
+ * prepare for next release
+ * Skip now permanently failing test with note on how to fix it
+ * Don't check form of version number
+ * Add a unit test for CVE-2023-40590
+ * Fix CVE-2023-40590
+ * feat: full typing for "progress" parameter
+ * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue
+ * Disable merge_includes in config writers
+ * Apply straight-forward typing fixes
+ * Add missing type annotation
+ * Run black and exclude submodule
+ * Allow explicit casting even when slightly redundant
+ * Ignore remaining [unreachable] type errors
+ * Define supported version for mypy
+ * Do not typecheck submodule
+ * typo
+ * added more resources section
+ * generic hash
+ * redundant code cell
+ * redundant line
+ * fixed tabbing
+ * tabbed all code-blocks
+ * added new section for diffs and formatting
+ * formatting wip
+ * change to formatting - removed = bash cmds
+ * Added new section to print prev file
+ * WIP major changes to structure to improve readability
+ * Removed all reference to source code
+ * Updated generic sha hash
+ * Added warning about index add
+ * Made trees and blobs the first section
+ * refactored print git tree
+ * clarified comment
+ * draft of description
+ * replaced hash with generic
+ * replaced output cell to generic commit ID
+ * removed unnecessary variables
+ * convert from --all flag to all=True
+ * correct way to get the latest commit tree
+ * removed try/except and updated sample url
+ * Updated the sample repo URL
+ * Made variable names more intuitive
+ * try to fix CI by making it deal with tags forcefully.
+ * Removed code from RST
+ * added quickstart to toctree to fix sphinx warning
+ * added quickstart to toctree and fixed sphinx warning
+ * fixed some indentation
+ * finished code for quickstart
+ * finished code for quickstart
+ * Finishing touches for Repo quickstart
+ * Added git clone & git add
+ * Made the init repo section of quickdoc
+
-------------------------------------------------------------------
Mon Aug 21 04:36:14 UTC 2023 - Steve Kowalik
diff --git a/python-GitPython.spec b/python-GitPython.spec
index 75cadcd..ab7e519 100644
--- a/python-GitPython.spec
+++ b/python-GitPython.spec
@@ -17,10 +17,10 @@
%define skip_python2 1
-%define simple_ver 3.1.32
+%define simple_ver 3.1.34
%{?sle15_python_module_pythons}
Name: python-GitPython
-Version: 3.1.32.1689011721.5d45ce2
+Version: 3.1.34.1693646983.2a2ae77
Release: 0
Summary: Python Git Library
License: BSD-3-Clause
@@ -28,6 +28,8 @@ URL: https://github.com/gitpython-developers/GitPython
Source: GitPython-%{version}.tar.xz
Patch0: test-skips.patch
Patch1: test_blocking_lock_file-extra-time.patch
+# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644
+Patch2: CVE-2023-41040.patch
BuildRequires: %{python_module ddt >= 1.1.1}
BuildRequires: %{python_module gitdb >= 4.0.1}
BuildRequires: %{python_module pip}
diff --git a/test-skips.patch b/test-skips.patch
index b5be454..2d561cd 100644
--- a/test-skips.patch
+++ b/test-skips.patch
@@ -5,8 +5,10 @@
test/test_submodule.py | 19 +++++++++++--------
4 files changed, 18 insertions(+), 10 deletions(-)
---- a/test/test_base.py
-+++ b/test/test_base.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_base.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
@@ -109,7 +109,8 @@ class TestBase(_TestBase):
assert osp.isdir(osp.join(rw_repo.working_tree_dir, "lib"))
assert osp.isdir(rw_repo.working_dir)
@@ -17,8 +19,10 @@
@with_rw_and_rw_remote_repo("0.1.6")
def test_with_rw_remote_and_rw_repo(self, rw_repo, rw_remote_repo):
assert not rw_repo.config_reader("repository").getboolean("core", "bare")
---- a/test/test_remote.py
-+++ b/test/test_remote.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_remote.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
@@ -4,6 +4,7 @@
# This module is part of GitPython and is released under
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
@@ -45,18 +49,22 @@
def test_fetch_error(self):
rem = self.rorepo.remote("origin")
with self.assertRaisesRegex(GitCommandError, "[Cc]ouldn't find remote ref __BAD_REF__"):
---- a/test/test_repo.py
-+++ b/test/test_repo.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_repo.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
@@ -250,6 +250,7 @@ class TestRepo(TestBase):
except UnicodeEncodeError:
self.fail("Raised UnicodeEncodeError")
+ @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'Gitlab connection error')
@with_rw_directory
+ @skip("the referenced repository was removed, and one needs to setup a new password controlled repo under the orgs control")
def test_leaking_password_in_clone_logs(self, rw_dir):
- password = "fakepassword1234"
---- a/test/test_submodule.py
-+++ b/test/test_submodule.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_submodule.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
@@ -453,14 +453,15 @@ class TestSubmodule(TestBase):
reason="Cygwin GitPython can't find submodule SHA",
raises=ValueError
diff --git a/test_blocking_lock_file-extra-time.patch b/test_blocking_lock_file-extra-time.patch
index ce17553..4a420d9 100644
--- a/test_blocking_lock_file-extra-time.patch
+++ b/test_blocking_lock_file-extra-time.patch
@@ -2,8 +2,10 @@
test/test_util.py | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
---- a/test/test_util.py
-+++ b/test/test_util.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_util.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
@@ -173,9 +173,7 @@ class TestUtils(TestBase):
self.assertRaises(IOError, wait_lock._obtain_lock)
elapsed = time.time() - start