From 713763acd2c164f05e5d64628c5df07dc45714c4e433f3862ace4802eca77f39 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Tue, 8 Nov 2022 09:53:08 +0000
Subject: [PATCH] Accepting request 1032894 from devel:tools:scm

OBS-URL: https://build.opensuse.org/request/show/1032894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=290
---
 git-2.38.0.tar.sign | Bin 566 -> 0 bytes
 git-2.38.0.tar.xz   |   3 ---
 git-2.38.1.tar.sign | Bin 0 -> 566 bytes
 git-2.38.1.tar.xz   |   3 +++
 git.changes         |  30 ++++++++++++++++++++++++++++++
 git.spec            |   5 ++++-
 6 files changed, 37 insertions(+), 4 deletions(-)
 delete mode 100644 git-2.38.0.tar.sign
 delete mode 100644 git-2.38.0.tar.xz
 create mode 100644 git-2.38.1.tar.sign
 create mode 100644 git-2.38.1.tar.xz

diff --git a/git-2.38.0.tar.sign b/git-2.38.0.tar.sign
deleted file mode 100644
index 7893197140ba761f32a40fd6db53b83c6994f71f7f64fa22371fd605bbfc2cbf..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 566
zcmV-60?GY}0y6{v0SEvc79j-T@HVmj=OQ1+c<k@6wdjVHujb1I0%JND<Nyi@5U{oA
zhL*49%Mc9^0FoEj!q?X!Xjm{l4<k0X>xlpJD1iN^`f?)s_bh9=*%7<C`BW%eA1|V-
z5|<@0)ROo`De84v5LOx8!IH)Or$%Mcm?*Z%Ecn|JbxUBsp=@{Xj1}3Ac5BP!_Umme
zbv(w~e}v#bF@e9L8GXgS_fWBpkLc9T`z>&T-|%^?o1Nrn<^YHao|t>e4>;B4I$0Sr
z+N>JI2QJ#4?{ej@7YRhH-sVt*Sx(02!2>yV^ssqA=O$+yS{EY@Z%uRw7Fi%aZ52u=
zu8hz%d)P%>Mz-|?cx!P}eDR7EEWU53eQ9BVEnMFohyS$-mKs);@*S^+mvlp0X@MTD
zm~_?Cb|-QRI+fL6vvFY_Eb4V=x1%sO@7c>bE9E<|VOSPLSY>(%IT<3LJ_Vf!=BZEM
z#*ik=kc>k3`o$}xkTJRVjqXX9?FFJb^hVg}OmNT05*?^CnniH&wX}|g!smtVqLoeU
zXp8%$&k@t3I%b2hnjoy&<j)8~Ur+D|L7ota4#MamwdgB<P3aB@|AWQ^kuC6eDL;iQ
zF;JlrHz2KQ`?Jy$UGb+bq2AE*(qQh{nKA4}U7Eo2HEnBC9;;Z?uWyCbEZ*hC8{ocx
zI++a=5&kisriZ&t(949K;t(Oe@YPXjWZJ4z7xuSXaI|!kEGEFRX*FzQO8pq#y_bz3
E02&J!`2YX_

diff --git a/git-2.38.0.tar.xz b/git-2.38.0.tar.xz
deleted file mode 100644
index 0cff166..0000000
--- a/git-2.38.0.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:923eade26b1814de78d06bda8e0a9f5da8b7c4b304b3f9050ffb464f0310320a
-size 7086664
diff --git a/git-2.38.1.tar.sign b/git-2.38.1.tar.sign
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..e9bde0971d5b9068e84da2d8bd6511a8a74d680f9f3642c4671ab4d14c785ef7
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SEvc79j-T@HVmj=OQ1+c<k@6wdjVHujb1I0%Je0rvM5G5U{oA
zhL*49%a)E10E~&%di|`^3kAc+2fNkiJH%<V5Q0tdP&JJ`txK6*Vi01xV1@4ZudhxH
ze)b!iO(WQ9#U<sNM=Dx^TG06O^VEw)=YB65Gs~(3$$iR%)Y+9q9qSKK^<n?~j0Qtk
znpzmKx?^jUJon4D8~y4xfScL(grWnko(Q9$aX@j2-s?!(^k43!{xlTD=uqh96H`R`
zUpUXG^OTq`wugR@?T0FVJ(24Vl)X&Ofqx(XYw)asPv7aLo#-snP}BVYrv7oYNYBK`
zUx}YRkIf8O8v0f*$P?B0vvx+Tj^%22Gmm$|=9V0AOe}5lg*|QGo&(zLp)-9dhZF{S
zFo}mmN0v4Etsy+}hQ=z-y^j`{M}XfD*FLOK69{7Xs@xKG@r}SPe?Ht^MRjGn+TUa_
zR=pr24I;!mreNFoae9ZoOhWjGlD8mW6DDQ7*8>WQ9t26Dm*2_0^wwaiW}9-!6Vp}^
zZJ}tCBP1i>$NyS#cgiaExEARIXD<v|snHG`Gb7OYVSDC62(&UJpo-#VRYVd)qM8j5
zkGcOW++a|<a)Tk$|4!K-Q|#q%9DK|aS%!X(;n>LG56mNvj?L<D3Knwzo`-^+GsY*|
z^$Ll<Jl;`~<7+RENYd~sffG8WbyO6tRIE`~tdroRE#L8;_0jii1~Hm{VO*=-j0tfN
E)!WA&UjP6A

literal 0
HcmV?d00001

diff --git a/git-2.38.1.tar.xz b/git-2.38.1.tar.xz
new file mode 100644
index 0000000..45426ec
--- /dev/null
+++ b/git-2.38.1.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:97ddf8ea58a2b9e0fbc2508e245028ca75911bd38d1551616b148c1aa5740ad9
+size 7088208
diff --git a/git.changes b/git.changes
index f1b0dac..917d2b6 100644
--- a/git.changes
+++ b/git.changes
@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Tue Nov  1 20:55:50 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- disable tests on s390x (check-chainlint)
+
+-------------------------------------------------------------------
+Wed Oct 26 19:57:18 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.38.1 (bsc#1204455, CVE-2022-39253, bsc#1204456, CVE-2022-39260):
+  * CVE-2022-39253:
+    When relying on the `--local` clone optimization, Git dereferences
+    symbolic links in the source repository before creating hardlinks
+    (or copies) of the dereferenced link in the destination repository.
+    This can lead to surprising behavior where arbitrary files are
+    present in a repository's `$GIT_DIR` when cloning from a malicious
+    repository.
+    Git will no longer dereference symbolic links via the `--local`
+    clone mechanism, and will instead refuse to clone repositories that
+    have symbolic links present in the `$GIT_DIR/objects` directory.
+    Additionally, the value of `protocol.file.allow` is changed to be
+    "user" by default.
+  * CVE-2022-39260:
+    An overly-long command string given to `git shell` can result in
+    overflow in `split_cmdline()`, leading to arbitrary heap writes and
+    remote code execution when `git shell` is exposed and the directory
+    `$HOME/git-shell-commands` exists.
+    `git shell` is taught to refuse interactive commands that are
+    longer than 4MiB in size. `split_cmdline()` is hardened to reject
+    inputs larger than 2GiB.
+
 -------------------------------------------------------------------
 Thu Oct  6 19:29:30 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/git.spec b/git.spec
index a8fcc37..8ed98ee 100644
--- a/git.spec
+++ b/git.spec
@@ -36,7 +36,7 @@
 %bcond_with    asciidoctor
 %endif
 Name:           git
-Version:        2.38.0
+Version:        2.38.1
 Release:        0
 Summary:        Fast, scalable, distributed revision control system
 License:        GPL-2.0-only
@@ -460,7 +460,10 @@ cat %{name}.lang >>bin-man-doc-files
 %fdupes -s %{buildroot}
 
 %check
+# https://public-inbox.org/git/f1a5f758-d81f-5985-9b5d-2f0dbfaac071@opensuse.org/
+%ifnarch s390x
 ./.make %{?_smp_mflags} test
+%endif
 
 %if 0%{?suse_version} >= 1500
 %pre daemon -f git-daemon.pre