[PATCH] gnu: git: Update to 2.40.1 [security fixes].

  • Done
  • quality assurance status badge
Details
2 participants
  • Greg Hogan
  • Ludovic Courtès
Owner
unassigned
Submitted by
Greg Hogan
Severity
normal
G
G
Greg Hogan wrote on 26 Apr 2023 18:40
(address . guix-patches@gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426164050.2007012-1-code@greghogan.com
Fixes CVE-2023-25652 and CVE-2023-29007.

* gnu/packages/version-control.scm (git): Update to 2.40.1.
---
gnu/packages/version-control.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c2ec490383..5f6766f510 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -227,14 +227,14 @@ (define git-cross-configure-flags
(define-public git
(package
(name "git")
- (version "2.39.2")
+ (version "2.40.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
- "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
+ "1li1xwgiwccy88bkshsah2kzl1006jg29jp7n32gvjggiswvi4s8"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@@ -254,7 +254,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
- "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
+ "04yy5za8963q6xzrirflvxbi1216jzqj8ssvgd9nkld3ifa9q1gy"))))
;; For subtree documentation.
("asciidoc" ,asciidoc)
("docbook2x" ,docbook2x)
--
2.40.0
G
G
Greg Hogan wrote on 26 Apr 2023 19:27
[PATCH v2 0/2] Update git [security fixes].
(address . 63092@debbugs.gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426172723.2684501-1-code@greghogan.com
v2 adds a fix for git-minimal.

Greg Hogan (2):
gnu: git: Update to 2.40.1 [security fixes].
gnu: git-minimal: Remove deletion of removed file.

gnu/packages/version-control.scm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--
2.40.0
G
G
Greg Hogan wrote on 26 Apr 2023 19:27
[PATCH v2 2/2] gnu: git-minimal: Remove deletion of removed file.
(address . 63092@debbugs.gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426172723.2684501-3-code@greghogan.com
* gnu/packages/version-control.scm (git-minimal)
[arguments]<#:phases>(remove-unusable-perl-commands): Remove
from deletion list the file deleted from upstream.
---
gnu/packages/version-control.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 5f6766f510..3f1f8d4ec2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -638,7 +638,7 @@ (define-public git-minimal
"/git-core/" file)))
'("git-svn" "git-cvsimport" "git-archimport"
"git-cvsserver" "git-request-pull"
- "git-add--interactive" "git-cvsexportcommit"
+ "git-cvsexportcommit"
"git-instaweb" "git-send-email"))
(delete-file (string-append bin "/git-cvsserver"))
--
2.40.0
G
G
Greg Hogan wrote on 26 Apr 2023 19:27
[PATCH v2 1/2] gnu: git: Update to 2.40.1 [security fixes].
(address . 63092@debbugs.gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426172723.2684501-2-code@greghogan.com
Fixes CVE-2023-25652 and CVE-2023-29007.

* gnu/packages/version-control.scm (git): Update to 2.40.1.
---
gnu/packages/version-control.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c2ec490383..5f6766f510 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -227,14 +227,14 @@ (define git-cross-configure-flags
(define-public git
(package
(name "git")
- (version "2.39.2")
+ (version "2.40.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
- "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
+ "1li1xwgiwccy88bkshsah2kzl1006jg29jp7n32gvjggiswvi4s8"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@@ -254,7 +254,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
- "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
+ "04yy5za8963q6xzrirflvxbi1216jzqj8ssvgd9nkld3ifa9q1gy"))))
;; For subtree documentation.
("asciidoc" ,asciidoc)
("docbook2x" ,docbook2x)
--
2.40.0
G
G
Greg Hogan wrote on 26 Apr 2023 21:03
[PATCH v3 0/2] Update git [security fixes].
(address . 63092@debbugs.gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426190346.3457310-1-code@greghogan.com
v3 modifies the changes to git-minimal so that the older, pinned version
of git-minimal continues to pass the post-build check.

Greg Hogan (2):
gnu: git: Update to 2.40.1 [security fixes].
gnu: git-minimal: Check files exist before delete.

gnu/packages/version-control.scm | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--
2.40.0
G
G
Greg Hogan wrote on 26 Apr 2023 21:03
[PATCH v3 2/2] gnu: git-minimal: Check files exist before delete.
(address . 63092@debbugs.gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426190346.3457310-3-code@greghogan.com
* gnu/packages/version-control.scm (git-minimal)
[arguments]<#:phases>(remove-unusable-perl-commands): Add file check
before deleting perl scripts so that this phase works for both new and
old, pinned versions.
---
gnu/packages/version-control.scm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

Toggle diff (20 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 5f6766f510..0467e9f4cb 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -634,8 +634,11 @@ (define-public git-minimal
(bin (string-append out "/bin"))
(libexec (string-append out "/libexec")))
(for-each (lambda (file)
- (delete-file (string-append libexec
- "/git-core/" file)))
+ (if (file-exists? file)
+ (delete-file (string-append libexec
+ "/git-core/" file))))
+ ;; git-add--interactive was removed in Git 2.40 but
+ ;; this phase is inherited by older versions.
'("git-svn" "git-cvsimport" "git-archimport"
"git-cvsserver" "git-request-pull"
"git-add--interactive" "git-cvsexportcommit"
--
2.40.0
G
G
Greg Hogan wrote on 26 Apr 2023 21:03
[PATCH v3 1/2] gnu: git: Update to 2.40.1 [security fixes].
(address . 63092@debbugs.gnu.org)(name . Greg Hogan)(address . code@greghogan.com)
20230426190346.3457310-2-code@greghogan.com
Fixes CVE-2023-25652 and CVE-2023-29007.

* gnu/packages/version-control.scm (git): Update to 2.40.1.
---
gnu/packages/version-control.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c2ec490383..5f6766f510 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -227,14 +227,14 @@ (define git-cross-configure-flags
(define-public git
(package
(name "git")
- (version "2.39.2")
+ (version "2.40.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
- "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
+ "1li1xwgiwccy88bkshsah2kzl1006jg29jp7n32gvjggiswvi4s8"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@@ -254,7 +254,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
- "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
+ "04yy5za8963q6xzrirflvxbi1216jzqj8ssvgd9nkld3ifa9q1gy"))))
;; For subtree documentation.
("asciidoc" ,asciidoc)
("docbook2x" ,docbook2x)
--
2.40.0
L
L
Ludovic Courtès wrote on 11 May 2023 15:15
Re: bug#63092: [PATCH] gnu: git: Update to 2.40.1 [security fixes].
(name . Greg Hogan)(address . code@greghogan.com)(address . 63092-done@debbugs.gnu.org)
874joj3t6r.fsf_-_@gnu.org
Hi Greg,

Greg Hogan <code@greghogan.com> skribis:

Toggle quote (5 lines)
> * gnu/packages/version-control.scm (git-minimal)
> [arguments]<#:phases>(remove-unusable-perl-commands): Add file check
> before deleting perl scripts so that this phase works for both new and
> old, pinned versions.

[...]

Toggle quote (6 lines)
> + (if (file-exists? file)
> + (delete-file (string-append libexec
> + "/git-core/" file))))
> + ;; git-add--interactive was removed in Git 2.40 but
> + ;; this phase is inherited by older versions.

The ‘file-exists?’ and ‘delete-file’ calls are passed different file
names. Also, this won’t prevent a rebuild of ‘git-minimal/pinned’.

So I went with a different approach to achieve that goal. Applied now.

Thanks!

Ludo’.
Closed
?