-
git (1:2.37.2-1ubuntu1.5) kinetic-security; urgency=medium
* SECURITY UPDATE: Overwriting path
- debian/patches/CVE-2023-25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- CVE-2023-25652
* SECURITY UPDATE: Malicious placement of crafted messages
- debian/patches/CVE-2023-25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- CVE-2023-25815
* SECURITY UPDATE: Arbitrary configuration injection
- debian/patches/CVE-2023-25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023-25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023-25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
- CVE-2023-29007
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 24 Apr 2023 14:29:14 -0300
-
git (1:2.37.2-1ubuntu1.4) kinetic-security; urgency=medium
* SECURITY UPDATE: Overwritten path and using
local clone optimization even when using a non-local transport
- debian/patches/CVE_2023-22490_and_23946/0002-*.patch: adjust
a mismatch data type in attr.c.
- debian/patches/CVE_2023-22490_and_23946/0003-*.patch: demonstrate
clone_local() with ambiguous transport in
t/t5619-clone-local-ambiguous-transport.sh.
- debian/patches/CVE_2023-22490_and_23946/0004-*.patch: delay
picking a transport until after get_repo_path() in builtin/clone.c.
- debian/patches/CVE_2023-22490_and_23946/0005-*.patch: prevent top-level
symlinks without FOLLOW_SYMLINKS in dir-iterator, dir-iterator.h,
t/t0066-dir-iterator.sh, t/t5604-clone-reference.sh.
- debian/patches/CVE_2023-22490_and_23946/0006-*.patch: fix writing behind
newly created symbolic links in apply.c, t/t4115-apply-symlink.sh.
- CVE-2023-22490
- CVE-2023-23946
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 08 Feb 2023 09:17:55 -0300
-
git (1:2.37.2-1ubuntu1.2) kinetic-security; urgency=medium
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE_2022_23521_and_41903/00*.patch:
attr.c, attr.h, pretty.c, column.c, utf8.c, utf8.h,
t/t4205-log-pretty-formats.sh, t/test-lib.sh, git-compat-util.h,
t/t0003-attributes.sh.
- CVE-2022-23521
- CVE-2022-41903
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 11 Jan 2023 14:29:53 -0300
-
git (1:2.37.2-1ubuntu1.1) kinetic-security; urgency=medium
* SECURITY UPDATE: Unexpected behavior
- debian/patches/CVE-2022-39253-*.patch: disallow --local
clones with symlinks and additionally changed the
protocol.file.allow to be user by default in
builtin/clone.c, transport.c, and modified tests in
t/t5604-clone-reference.sh,
lib-submodule-update.sh, t/t1091-sparse-checkout-builtin.sh,
t/t1500-rev-parse.sh, t/t2400-worktree-add.sh,
t/t2403-worktree-move.sh, t/t2405-worktree-submodule.sh,
t/t3200-branch.sh, t/t3420-rebase-autostash.sh,
t/t3426-rebase-submodule.sh, t/t3512-cherry-pick-submodule.sh,
t/t3600-rm.sh, t/t3906-stash-submodule.sh,
t/t4059-diff-submodule-not-initialized.sh,
t/t4060-diff-submodule-option-diff-format.sh,
t/t4067-diff-partial-clone.sh,
t/t4208-log-magic-pathspec.sh, t/t5510-fetch.sh,
t/t5526-fetch-submodules.sh, t/t5545-push-options.sh,
t/t5572-pull-submodule.sh, t/t5601-clone.sh,
t/t5614-clone-submodules-shallow.sh, t/t5616-partial-clone.sh,
t/t5617-clone-submodules-remote.sh, t/t6008-rev-list-submodule.sh,
t/t6134-pathspec-in-submodule.sh,
t/t7001-mv.sh, t/t7064-wtstatus-pv2.sh,
t/t7300-clean.sh, t/t7400-submodule-basic.sh,
t/t7403-submodule-sync.sh, t/t7406-submodule-update.sh,
t/t7407-submodule-foreach.sh, t/t7408-submodule-reference.sh,
t/t7409-submodule-detached-work-tree.sh, t/t7411-submodule-config.sh,
t/t7413-submodule-is-active.sh, t/t7414-submodule-mistakes.sh,
t/t7415-submodule-names.sh, t/t7416-submodule-dash-url.sh,
t/t7417-submodule-path-url.sh, t/t7418-submodule-sparse-gitmodules.sh,
t/t7419-submodule-set-branch.sh, t/t7420-submodule-set-url.sh,
t/t7421-submodule-summary-add.sh, t/t7506-status-submodule.sh,
t/t7507-commit-verbose.sh, t/t7800-difftool.sh,
t/t7814-grep-recurse-submodules.sh, t/t9304-fast-import-marks.sh,
t/t9350-fast-export.sh, t/t1092-sparse-checkout-compatibility.sh,
t/t2080-parallel-checkout-basics.sh, t/t7450-bad-git-dotfiles.sh.
- CVE-2022-39253
* SECURITY UPDATE: Arbitrary heap writes
- debian/patches/CVE-2022-39260-*.patch: limit size of interactive
commands and reject too-long cmdline strings in split cmdline()
in shell.c, t/t9850-shell.sh, alias.c.
- CVE-2022-39260
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 14 Nov 2022 16:44:48 -0300
-
git (1:2.37.2-1ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Dropped changes, included upstream:
- debian/patches/CVE-2022-29187-1.patch: adds test to
regression git needs safe.directory when using sudo in
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership
checks if running privileged in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-3.patch: add negative tests
and allow git init to mostly work under sudo in
t/lib-sudo.sh b/t/lib-sudo.sh.
- debian/patches/CVE-2022-29187-4.patch: allow root
to access both SUDO_UID and root owned in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-6.patch: tighten ownership checks
post CVE-2022-24765 in setup.c.
git (1:2.37.2-1) unstable; urgency=low
* new upstream release (closes: #1016723; see RelNotes/2.37.0.txt,
RelNotes/2.37.1.txt, RelNotes/2.37.2.txt).
-- Steve Langasek <email address hidden> Tue, 16 Aug 2022 11:34:06 -0700
-
git (1:2.36.1-1ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Potential arbitrary code execution
- debian/patches/CVE-2022-29187-1.patch: adds test to
regression git needs safe.directory when using sudo in
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership
checks if running privileged in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-3.patch: add negative tests
and allow git init to mostly work under sudo in
t/lib-sudo.sh b/t/lib-sudo.sh.
- debian/patches/CVE-2022-29187-4.patch: allow root
to access both SUDO_UID and root owned in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-6.patch: tighten ownership checks
post CVE-2022-24765 in setup.c.
- CVE-2022-29187
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 14 Jul 2022 15:05:33 -0300
-
git (1:2.36.1-1ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.36.1-1) unstable; urgency=low
* new upstream point release (closes: #1010720; see
RelNotes/2.36.1.txt).
git (1:2.36.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.36.0.txt).
git (1:2.35.2-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.35.2.txt).
* Addresses the security issue CVE-2022-24765: Git users might
have found themselves unexpectedly in a Git worktree, e.g. when
another user created a repository in `/tmp/.git`, in a mounted
network drive or in a scratch space. Having a Git-aware prompt
that runs `git status` (or `git diff`) and navigating to a
directory which is supposedly not a Git worktree, or opening
such a directory in an IDE with Git support such as VS Code,
could then run commands specified by that other user.
Thanks to 俞晨东 for discovering this vulnerability and
Johannes Schindelin for the mitigation.
git (1:2.35.1-1) unstable; urgency=low
* new upstream release (see RelNotes/2.35.0.txt, RelNotes/2.35.1.txt).
-- Gianfranco Costamagna <email address hidden> Mon, 23 May 2022 12:09:08 +0200
-
git (1:2.34.1-1ubuntu1.3) kinetic; urgency=medium
* Rebuild against new libicu71.
-- Gianfranco Costamagna <email address hidden> Mon, 23 May 2022 12:07:45 +0200
-
git (1:2.34.1-1ubuntu1.2) jammy; urgency=medium
* SECURITY REGRESSION: Previous update was incomplete causing regressions
and not correctly fixing the issue.
- debian/patches/CVE-2022-24765-5.patch: fix safe.directory
key not being checked in setup.c.
- debian/patches/CVE-2022-24765-6.patch:
opt-out of check with safe.directory=* in setup.c. (LP: #1970260)
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 20:14:03 -0300
-
git (1:2.34.1-1ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Run commands in diff users
- debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
an owner check for the top-level-directory; add a function to
determine whether a path is owned by the current user in patch.c,
t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
git-compat-util.h.
- CVE-2022-24765
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 08 Apr 2022 08:43:25 -0300
-
git (1:2.34.1-1ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.34.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.34.1.txt).
git (1:2.34.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.34.0.txt).
-- Julian Andres Klode <email address hidden> Mon, 24 Jan 2022 16:50:15 +0100
