Skip to content

Commit

Permalink
Sync with 2.42.2
Browse files Browse the repository at this point in the history
* maint-2.42: (39 commits)
  Git 2.42.2
  Git 2.41.1
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters < '/'
  ...
  • Loading branch information
dscho committed Apr 19, 2024
2 parents 0d464a4 + babb4e5 commit 8e97ec3
Show file tree
Hide file tree
Showing 46 changed files with 1,294 additions and 107 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/check-whitespace.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
check-whitespace:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0

Expand Down
38 changes: 19 additions & 19 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
echo "skip_concurrent=$skip_concurrent" >>$GITHUB_OUTPUT
- name: skip if the commit or tree was already tested
id: skip-if-redundant
uses: actions/github-script@v6
uses: actions/github-script@v7
if: steps.check-ref.outputs.enabled == 'yes'
with:
github-token: ${{secrets.GITHUB_TOKEN}}
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:
group: windows-build-${{ github.ref }}
cancel-in-progress: ${{ needs.ci-config.outputs.skip_concurrent == 'yes' }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: git-for-windows/setup-git-for-windows-sdk@v1
- name: build
shell: bash
Expand All @@ -123,7 +123,7 @@ jobs:
- name: zip up tracked files
run: git archive -o artifacts/tracked.tar.gz HEAD
- name: upload tracked files and build artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: windows-artifacts
path: artifacts
Expand All @@ -140,7 +140,7 @@ jobs:
cancel-in-progress: ${{ needs.ci-config.outputs.skip_concurrent == 'yes' }}
steps:
- name: download tracked files and build artifacts
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: windows-artifacts
path: ${{github.workspace}}
Expand All @@ -157,7 +157,7 @@ jobs:
run: ci/print-test-failures.sh
- name: Upload failed tests' directories
if: failure() && env.FAILED_TEST_ARTIFACTS != ''
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: failed-tests-windows
path: ${{env.FAILED_TEST_ARTIFACTS}}
Expand All @@ -173,10 +173,10 @@ jobs:
group: vs-build-${{ github.ref }}
cancel-in-progress: ${{ needs.ci-config.outputs.skip_concurrent == 'yes' }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: git-for-windows/setup-git-for-windows-sdk@v1
- name: initialize vcpkg
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: 'microsoft/vcpkg'
path: 'compat/vcbuild/vcpkg'
Expand Down Expand Up @@ -212,7 +212,7 @@ jobs:
- name: zip up tracked files
run: git archive -o artifacts/tracked.tar.gz HEAD
- name: upload tracked files and build artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: vs-artifacts
path: artifacts
Expand All @@ -230,7 +230,7 @@ jobs:
steps:
- uses: git-for-windows/setup-git-for-windows-sdk@v1
- name: download tracked files and build artifacts
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: vs-artifacts
path: ${{github.workspace}}
Expand All @@ -248,7 +248,7 @@ jobs:
run: ci/print-test-failures.sh
- name: Upload failed tests' directories
if: failure() && env.FAILED_TEST_ARTIFACTS != ''
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: failed-tests-windows
path: ${{env.FAILED_TEST_ARTIFACTS}}
Expand Down Expand Up @@ -297,15 +297,15 @@ jobs:
runs_on_pool: ${{matrix.vector.pool}}
runs-on: ${{matrix.vector.pool}}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- run: ci/install-dependencies.sh
- run: ci/run-build-and-tests.sh
- name: print test failures
if: failure() && env.FAILED_TEST_ARTIFACTS != ''
run: ci/print-test-failures.sh
- name: Upload failed tests' directories
if: failure() && env.FAILED_TEST_ARTIFACTS != ''
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: failed-tests-${{matrix.vector.jobname}}
path: ${{env.FAILED_TEST_ARTIFACTS}}
Expand All @@ -331,9 +331,9 @@ jobs:
runs-on: ubuntu-latest
container: ${{matrix.vector.image}}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
if: matrix.vector.jobname != 'linux32'
- uses: actions/checkout@v1
- uses: actions/checkout@v1 # cannot be upgraded because Node.js Actions aren't supported in this container
if: matrix.vector.jobname == 'linux32'
- run: ci/install-docker-dependencies.sh
- run: ci/run-build-and-tests.sh
Expand All @@ -342,13 +342,13 @@ jobs:
run: ci/print-test-failures.sh
- name: Upload failed tests' directories
if: failure() && env.FAILED_TEST_ARTIFACTS != '' && matrix.vector.jobname != 'linux32'
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: failed-tests-${{matrix.vector.jobname}}
path: ${{env.FAILED_TEST_ARTIFACTS}}
- name: Upload failed tests' directories
if: failure() && env.FAILED_TEST_ARTIFACTS != '' && matrix.vector.jobname == 'linux32'
uses: actions/upload-artifact@v1
uses: actions/upload-artifact@v1 # cannot be upgraded because Node.js Actions aren't supported in this container
with:
name: failed-tests-${{matrix.vector.jobname}}
path: ${{env.FAILED_TEST_ARTIFACTS}}
Expand All @@ -362,7 +362,7 @@ jobs:
group: static-analysis-${{ github.ref }}
cancel-in-progress: ${{ needs.ci-config.outputs.skip_concurrent == 'yes' }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- run: ci/install-dependencies.sh
- run: ci/run-static-analysis.sh
- run: ci/check-directional-formatting.bash
Expand All @@ -385,7 +385,7 @@ jobs:
artifact: sparse-20.04
- name: Install the current `sparse` package
run: sudo dpkg -i sparse-20.04/sparse_*.deb
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Install other dependencies
run: ci/install-dependencies.sh
- run: make sparse
Expand All @@ -400,6 +400,6 @@ jobs:
jobname: Documentation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- run: ci/install-dependencies.sh
- run: ci/test-documentation.sh
79 changes: 79 additions & 0 deletions Documentation/RelNotes/2.39.4.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
Git v2.39.4 Release Notes
=========================

This addresses the security issues CVE-2024-32002, CVE-2024-32004,
CVE-2024-32020 and CVE-2024-32021.

This release also backports fixes necessary to let the CI builds pass
successfully.

Fixes since v2.39.3
-------------------

* CVE-2024-32002:

Recursive clones on case-insensitive filesystems that support symbolic
links are susceptible to case confusion that can be exploited to
execute just-cloned code during the clone operation.

* CVE-2024-32004:

Repositories can be configured to execute arbitrary code during local
clones. To address this, the ownership checks introduced in v2.30.3
are now extended to cover cloning local repositories.

* CVE-2024-32020:

Local clones may end up hardlinking files into the target repository's
object database when source and target repository reside on the same
disk. If the source repository is owned by a different user, then
those hardlinked files may be rewritten at any point in time by the
untrusted user.

* CVE-2024-32021:

When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/
directory.

* CVE-2024-32465:

It is supposed to be safe to clone untrusted repositories, even those
unpacked from zip archives or tarballs originating from untrusted
sources, but Git can be tricked to run arbitrary code as part of the
clone.

* Defense-in-depth: submodule: require the submodule path to contain
directories only.

* Defense-in-depth: clone: when symbolic links collide with directories, keep
the latter.

* Defense-in-depth: clone: prevent hooks from running during a clone.

* Defense-in-depth: core.hooksPath: add some protection while cloning.

* Defense-in-depth: fsck: warn about symlink pointing inside a gitdir.

* Various fix-ups on HTTP tests.

* Test update.

* HTTP Header redaction code has been adjusted for a newer version of
cURL library that shows its traces differently from earlier
versions.

* Fix was added to work around a regression in libcURL 8.7.0 (which has
already been fixed in their tip of the tree).

* Replace macos-12 used at GitHub CI with macos-13.

* ci(linux-asan/linux-ubsan): let's save some time

* Tests with LSan from time to time seem to emit harmless message that makes
our tests unnecessarily flakey; we work it around by filtering the
uninteresting output.

* Update GitHub Actions jobs to avoid warnings against using deprecated
version of Node.js.
7 changes: 7 additions & 0 deletions Documentation/RelNotes/2.40.2.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Git v2.40.2 Release Notes
=========================

This release merges up the fix that appears in v2.39.4 to address
the security issues CVE-2024-32002, CVE-2024-32004, CVE-2024-32020,
CVE-2024-32021 and CVE-2024-32465; see the release notes for that
version for details.
7 changes: 7 additions & 0 deletions Documentation/RelNotes/2.41.1.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Git v2.41.1 Release Notes
=========================

This release merges up the fix that appears in v2.39.4 and v2.40.2
to address the security issues CVE-2024-32002, CVE-2024-32004,
CVE-2024-32020, CVE-2024-32021 and CVE-2024-32465; see the release
notes for these versions for details.
7 changes: 7 additions & 0 deletions Documentation/RelNotes/2.42.2.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Git v2.42.2 Release Notes
=========================

This release merges up the fix that appears in v2.39.4, v2.40.2
and v2.41.1 to address the security issues CVE-2024-32002,
CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 and CVE-2024-32465;
see the release notes for these versions for details.
12 changes: 12 additions & 0 deletions Documentation/fsck-msgids.txt
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,18 @@
`nullSha1`::
(WARN) Tree contains entries pointing to a null sha1.

`symlinkPointsToGitDir`::
(WARN) Symbolic link points inside a gitdir.

`symlinkTargetBlob`::
(ERROR) A non-blob found instead of a symbolic link's target.

`symlinkTargetLength`::
(WARN) Symbolic link target longer than maximum path length.

`symlinkTargetMissing`::
(ERROR) Unable to read symbolic link target's blob.

`treeNotSorted`::
(ERROR) A tree is not properly sorted.

Expand Down
31 changes: 31 additions & 0 deletions Documentation/git-upload-pack.txt
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,37 @@ ENVIRONMENT
admins may need to configure some transports to allow this
variable to be passed. See the discussion in linkgit:git[1].

`GIT_NO_LAZY_FETCH`::
When cloning or fetching from a partial repository (i.e., one
itself cloned with `--filter`), the server-side `upload-pack`
may need to fetch extra objects from its upstream in order to
complete the request. By default, `upload-pack` will refuse to
perform such a lazy fetch, because `git fetch` may run arbitrary
commands specified in configuration and hooks of the source
repository (and `upload-pack` tries to be safe to run even in
untrusted `.git` directories).
+
This is implemented by having `upload-pack` internally set the
`GIT_NO_LAZY_FETCH` variable to `1`. If you want to override it
(because you are fetching from a partial clone, and you are sure
you trust it), you can explicitly set `GIT_NO_LAZY_FETCH` to
`0`.

SECURITY
--------

Most Git commands should not be run in an untrusted `.git` directory
(see the section `SECURITY` in linkgit:git[1]). `upload-pack` tries to
avoid any dangerous configuration options or hooks from the repository
it's serving, making it safe to clone an untrusted directory and run
commands on the resulting clone.

For an extra level of safety, you may be able to run `upload-pack` as an
alternate user. The details will be platform dependent, but on many
systems you can run:

git clone --no-local --upload-pack='sudo -u nobody git-upload-pack' ...

SEE ALSO
--------
linkgit:gitnamespaces[7]
Expand Down
31 changes: 31 additions & 0 deletions Documentation/git.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1044,6 +1044,37 @@ The index is also capable of storing multiple entries (called "stages")
for a given pathname. These stages are used to hold the various
unmerged version of a file when a merge is in progress.

SECURITY
--------

Some configuration options and hook files may cause Git to run arbitrary
shell commands. Because configuration and hooks are not copied using
`git clone`, it is generally safe to clone remote repositories with
untrusted content, inspect them with `git log`, and so on.

However, it is not safe to run Git commands in a `.git` directory (or
the working tree that surrounds it) when that `.git` directory itself
comes from an untrusted source. The commands in its config and hooks
are executed in the usual way.

By default, Git will refuse to run when the repository is owned by
someone other than the user running the command. See the entry for
`safe.directory` in linkgit:git-config[1]. While this can help protect
you in a multi-user environment, note that you can also acquire
untrusted repositories that are owned by you (for example, if you
extract a zip file or tarball from an untrusted source). In such cases,
you'd need to "sanitize" the untrusted repository first.

If you have an untrusted `.git` directory, you should first clone it
with `git clone --no-local` to obtain a clean copy. Git does restrict
the set of options and hooks that will be run by `upload-pack`, which
handles the server side of a clone or fetch, but beware that the
surface area for attack against `upload-pack` is large, so this does
carry some risk. The safest thing is to serve the repository as an
unprivileged user (either via linkgit:git-daemon[1], ssh, or using
other tools to change user ids). See the discussion in the `SECURITY`
section of linkgit:git-upload-pack[1].

FURTHER DOCUMENTATION
---------------------

Expand Down
2 changes: 1 addition & 1 deletion INSTALL
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ Issues of note:
not need that functionality, use NO_CURL to build without
it.

Git requires version "7.19.5" or later of "libcurl" to build
Git requires version "7.21.3" or later of "libcurl" to build
without NO_CURL. This version requirement may be bumped in
the future.

Expand Down
Loading

0 comments on commit 8e97ec3

Please sign in to comment.