Accepting request 1032894 from devel:tools:scm

OBS-URL: https://build.opensuse.org/request/show/1032894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=290

git-2.38.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:923eade26b1814de78d06bda8e0a9f5da8b7c4b304b3f9050ffb464f0310320a
-size 7086664

git-2.38.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:97ddf8ea58a2b9e0fbc2508e245028ca75911bd38d1551616b148c1aa5740ad9
+size 7088208

git.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Tue Nov  1 20:55:50 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- disable tests on s390x (check-chainlint)
+
+-------------------------------------------------------------------
+Wed Oct 26 19:57:18 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.38.1 (bsc#1204455, CVE-2022-39253, bsc#1204456, CVE-2022-39260):
+  * CVE-2022-39253:
+    When relying on the `--local` clone optimization, Git dereferences
+    symbolic links in the source repository before creating hardlinks
+    (or copies) of the dereferenced link in the destination repository.
+    This can lead to surprising behavior where arbitrary files are
+    present in a repository's `$GIT_DIR` when cloning from a malicious
+    repository.
+    Git will no longer dereference symbolic links via the `--local`
+    clone mechanism, and will instead refuse to clone repositories that
+    have symbolic links present in the `$GIT_DIR/objects` directory.
+    Additionally, the value of `protocol.file.allow` is changed to be
+    "user" by default.
+  * CVE-2022-39260:
+    An overly-long command string given to `git shell` can result in
+    overflow in `split_cmdline()`, leading to arbitrary heap writes and
+    remote code execution when `git shell` is exposed and the directory
+    `$HOME/git-shell-commands` exists.
+    `git shell` is taught to refuse interactive commands that are
+    longer than 4MiB in size. `split_cmdline()` is hardened to reject
+    inputs larger than 2GiB.
+
 -------------------------------------------------------------------
 Thu Oct  6 19:29:30 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
 

git.spec

@@ -36,7 +36,7 @@
 %bcond_with    asciidoctor
 %endif
 Name:           git
-Version:        2.38.0
+Version:        2.38.1
 Release:        0
 Summary:        Fast, scalable, distributed revision control system
 License:        GPL-2.0-only
@@ -460,7 +460,10 @@ cat %{name}.lang >>bin-man-doc-files
 %fdupes -s %{buildroot}
 
 %check
+# https://public-inbox.org/git/f1a5f758-d81f-5985-9b5d-2f0dbfaac071@opensuse.org/
+%ifnarch s390x
 ./.make %{?_smp_mflags} test
+%endif
 
 %if 0%{?suse_version} >= 1500
 %pre daemon -f git-daemon.pre