[Buildroot] [PATCH 1/1] package/git: security bump to version 2.31.5

[Buildroot] [PATCH 1/1] package/git: security bump to version 2.31.5

[Fabrice Fontaine]

Fixes:
 * CVE-2022-39253:
   When relying on the `--local` clone optimization, Git dereferences
   symbolic links in the source repository before creating hardlinks
   (or copies) of the dereferenced link in the destination repository.
   This can lead to surprising behavior where arbitrary files are
   present in a repository's `$GIT_DIR` when cloning from a malicious
   repository.

   Git will no longer dereference symbolic links via the `--local`
   clone mechanism, and will instead refuse to clone repositories that
   have symbolic links present in the `$GIT_DIR/objects` directory.

   Additionally, the value of `protocol.file.allow` is changed to be
   "user" by default.

 * CVE-2022-39260:
   An overly-long command string given to `git shell` can result in
   overflow in `split_cmdline()`, leading to arbitrary heap writes and
   remote code execution when `git shell` is exposed and the directory
   `$HOME/git-shell-commands` exists.

   `git shell` is taught to refuse interactive commands that are
   longer than 4MiB in size. `split_cmdline()` is hardened to reject
   inputs larger than 2GiB.

https://github.com/git/git/blob/v2.31.5/Documentation/RelNotes/2.31.5.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/git/git.hash | 2 +-
 package/git/git.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/git/git.hash b/package/git/git.hash
index 41afa83f86..af09ea817b 100644
--- a/package/git/git.hash
+++ b/package/git/git.hash
@@ -1,5 +1,5 @@
 # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc
-sha256  84fc20acf8fbea5cad7d5d7be0dfeb32494f1dac8e6c61675c904d1fd3d8c016  git-2.31.4.tar.xz
+sha256  dbc80f88d36fcde2c7acaaa9343cfab0f56effe9aee60e5eb00f3f36b8a619b4  git-2.31.5.tar.xz
 # Locally calculated
 sha256  5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e  COPYING
 sha256  1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a  LGPL-2.1
diff --git a/package/git/git.mk b/package/git/git.mk
index dc587170e8..653b4f46ad 100644
--- a/package/git/git.mk
+++ b/package/git/git.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GIT_VERSION = 2.31.4
+GIT_VERSION = 2.31.5
 GIT_SOURCE = git-$(GIT_VERSION).tar.xz
 GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git
 GIT_LICENSE = GPL-2.0, LGPL-2.1+
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/git: security bump to version 2.31.5

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fixes:
 >  * CVE-2022-39253:
 >    When relying on the `--local` clone optimization, Git dereferences
 >    symbolic links in the source repository before creating hardlinks
 >    (or copies) of the dereferenced link in the destination repository.
 >    This can lead to surprising behavior where arbitrary files are
 >    present in a repository's `$GIT_DIR` when cloning from a malicious
 >    repository.

 >    Git will no longer dereference symbolic links via the `--local`
 >    clone mechanism, and will instead refuse to clone repositories that
 >    have symbolic links present in the `$GIT_DIR/objects` directory.

 >    Additionally, the value of `protocol.file.allow` is changed to be
 >    "user" by default.

 >  * CVE-2022-39260:
 >    An overly-long command string given to `git shell` can result in
 >    overflow in `split_cmdline()`, leading to arbitrary heap writes and
 >    remote code execution when `git shell` is exposed and the directory
 >    `$HOME/git-shell-commands` exists.

 >    `git shell` is taught to refuse interactive commands that are
 >    longer than 4MiB in size. `split_cmdline()` is hardened to reject
 >    inputs larger than 2GiB.

 > https://github.com/git/git/blob/v2.31.5/Documentation/RelNotes/2.31.5.txt

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/git: security bump to version 2.31.5

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fixes:
 >  * CVE-2022-39253:
 >    When relying on the `--local` clone optimization, Git dereferences
 >    symbolic links in the source repository before creating hardlinks
 >    (or copies) of the dereferenced link in the destination repository.
 >    This can lead to surprising behavior where arbitrary files are
 >    present in a repository's `$GIT_DIR` when cloning from a malicious
 >    repository.

 >    Git will no longer dereference symbolic links via the `--local`
 >    clone mechanism, and will instead refuse to clone repositories that
 >    have symbolic links present in the `$GIT_DIR/objects` directory.

 >    Additionally, the value of `protocol.file.allow` is changed to be
 >    "user" by default.

 >  * CVE-2022-39260:
 >    An overly-long command string given to `git shell` can result in
 >    overflow in `split_cmdline()`, leading to arbitrary heap writes and
 >    remote code execution when `git shell` is exposed and the directory
 >    `$HOME/git-shell-commands` exists.

 >    `git shell` is taught to refuse interactive commands that are
 >    longer than 4MiB in size. `split_cmdline()` is hardened to reject
 >    inputs larger than 2GiB.

 > https://github.com/git/git/blob/v2.31.5/Documentation/RelNotes/2.31.5.txt

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot