Message ID | 20230118213517.5946-1-ps.report@gmx.net |
---|---|
State | Accepted |
Headers | show |
Series | [v1] package/git: bump version to 2.39.1 | expand |
On Wed, Jan 18, 2023 at 10:35:17PM +0100, Peter Seiderer wrote: > - fixes CVE-2022-41903 and CVE-2022-23521 > > For details see [1]. > > [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/ > Ah! I'm about to submit the same bump. My bump builds fine, so I think it is also applicable to yours. Tested-by: Bagas Sanjaya <bagasdotme@gmail.com> > Signed-off-by: Peter Seiderer <ps.report@gmx.net> > --- > package/git/git.hash | 2 +- > package/git/git.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/git/git.hash b/package/git/git.hash > index 57a77b2810..75398896e5 100644 > --- a/package/git/git.hash > +++ b/package/git/git.hash > @@ -1,5 +1,5 @@ > # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc > -sha256 ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b git-2.39.0.tar.xz > +sha256 40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161 git-2.39.1.tar.xz > # Locally calculated > sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING > sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 > diff --git a/package/git/git.mk b/package/git/git.mk > index 9918d4c1ef..1d728e1964 100644 > --- a/package/git/git.mk > +++ b/package/git/git.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -GIT_VERSION = 2.39.0 > +GIT_VERSION = 2.39.1 > GIT_SOURCE = git-$(GIT_VERSION).tar.xz > GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git > GIT_LICENSE = GPL-2.0, LGPL-2.1+ The package patches apply here (with fuzz), so you need to refresh these against v2.39.1: ---- >8 ---- diff --git a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch index dbde87940a..cb6c3a6dbb 100644 --- a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch +++ b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch @@ -1,4 +1,4 @@ -From 385f67eb2254edb1fb4cf523e5e3d5a8f123d72c Mon Sep 17 00:00:00 2001 +From a70fa5257ee347fa3a21734b7066803064657445 Mon Sep 17 00:00:00 2001 From: Jeff King <peff@peff.net> Date: Wed, 30 Nov 2022 16:15:14 -0500 Subject: [PATCH] git-compat-util: avoid redefining system function names @@ -57,14 +57,14 @@ but without redeclaring the system function names. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> -[Bagas: cherry-picked from e0c08a4f738b3dea7a4e8fe3511c323cf1f41942 on next branch] +[Bagas: refresh against v2.39.1] Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> --- git-compat-util.h | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/git-compat-util.h b/git-compat-util.h -index a76d0526f7..e3456bdd0d 100644 +index af05077560..f6882b9b50 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -341,11 +341,12 @@ struct itimerval { @@ -83,7 +83,7 @@ index a76d0526f7..e3456bdd0d 100644 #endif #ifndef NO_LIBGEN_H -@@ -1471,14 +1472,16 @@ int open_nofollow(const char *path, int flags); +@@ -1479,14 +1480,16 @@ int open_nofollow(const char *path, int flags); #endif #ifndef _POSIX_THREAD_SAFE_FUNCTIONS diff --git a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch index 9e3c9b662c..9a9d2362b0 100644 --- a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch +++ b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch @@ -1,4 +1,4 @@ -From 6d406390b870fdb2cd9d18b12ebfabc12f5096df Mon Sep 17 00:00:00 2001 +From 1528273a611e331bfce4da1d4fb0f76d9463ab02 Mon Sep 17 00:00:00 2001 From: Jeff King <peff@peff.net> Date: Fri, 2 Dec 2022 06:05:38 -0500 Subject: [PATCH] git-compat-util: undefine system names before redeclaring @@ -22,14 +22,14 @@ defensive about the other macro wrappers added in the previous patch. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> -[Bagas: cherry-picked from e1a95b78d8a26762ea04332de8b7c3878da51522 on next branch] +[Bagas: refresh against v2.39.1] Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> --- git-compat-util.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/git-compat-util.h b/git-compat-util.h -index e3456bdd0d..211861da0f 100644 +index f6882b9b50..dadb9e55cb 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -346,6 +346,7 @@ static inline int git_setitimer(int which, @@ -40,7 +40,7 @@ index e3456bdd0d..211861da0f 100644 #define setitimer(which,value,ovalue) git_setitimer(which,value,ovalue) #endif -@@ -1480,6 +1481,9 @@ static inline void git_funlockfile(FILE *fh) +@@ -1488,6 +1489,9 @@ static inline void git_funlockfile(FILE *fh) { ; /* nothing */ } When the refresh is applied, don't forget to add: Co-developed-by: Bagas Sanjaya <bagasdotme@gmail.com> Thanks.
Hello *, On Thu, 19 Jan 2023 15:10:04 +0700, Bagas Sanjaya <bagasdotme@gmail.com> wrote: > On Wed, Jan 18, 2023 at 10:35:17PM +0100, Peter Seiderer wrote: > > - fixes CVE-2022-41903 and CVE-2022-23521 > > > > For details see [1]. > > > > [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/ > > > > Ah! I'm about to submit the same bump. My bump builds fine, so I think > it is also applicable to yours. > > Tested-by: Bagas Sanjaya <bagasdotme@gmail.com> Thanks for confirmation... > > > Signed-off-by: Peter Seiderer <ps.report@gmx.net> > > --- > > package/git/git.hash | 2 +- > > package/git/git.mk | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/package/git/git.hash b/package/git/git.hash > > index 57a77b2810..75398896e5 100644 > > --- a/package/git/git.hash > > +++ b/package/git/git.hash > > @@ -1,5 +1,5 @@ > > # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc > > -sha256 ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b git-2.39.0.tar.xz > > +sha256 40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161 git-2.39.1.tar.xz > > # Locally calculated > > sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING > > sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 > > diff --git a/package/git/git.mk b/package/git/git.mk > > index 9918d4c1ef..1d728e1964 100644 > > --- a/package/git/git.mk > > +++ b/package/git/git.mk > > @@ -4,7 +4,7 @@ > > # > > ################################################################################ > > > > -GIT_VERSION = 2.39.0 > > +GIT_VERSION = 2.39.1 > > GIT_SOURCE = git-$(GIT_VERSION).tar.xz > > GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git > > GIT_LICENSE = GPL-2.0, LGPL-2.1+ > > The package patches apply here (with fuzz), so you need to refresh these > against v2.39.1: Matter of taste (?), but for my taste unneeded code churn... as long as the patches apply unchanged... Regards, Peter > > ---- >8 ---- > diff --git a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch > index dbde87940a..cb6c3a6dbb 100644 > --- a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch > +++ b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch > @@ -1,4 +1,4 @@ > -From 385f67eb2254edb1fb4cf523e5e3d5a8f123d72c Mon Sep 17 00:00:00 2001 > +From a70fa5257ee347fa3a21734b7066803064657445 Mon Sep 17 00:00:00 2001 > From: Jeff King <peff@peff.net> > Date: Wed, 30 Nov 2022 16:15:14 -0500 > Subject: [PATCH] git-compat-util: avoid redefining system function names > @@ -57,14 +57,14 @@ but without redeclaring the system function names. > > Signed-off-by: Jeff King <peff@peff.net> > Signed-off-by: Junio C Hamano <gitster@pobox.com> > -[Bagas: cherry-picked from e0c08a4f738b3dea7a4e8fe3511c323cf1f41942 on next branch] > +[Bagas: refresh against v2.39.1] > Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> > --- > git-compat-util.h | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/git-compat-util.h b/git-compat-util.h > -index a76d0526f7..e3456bdd0d 100644 > +index af05077560..f6882b9b50 100644 > --- a/git-compat-util.h > +++ b/git-compat-util.h > @@ -341,11 +341,12 @@ struct itimerval { > @@ -83,7 +83,7 @@ index a76d0526f7..e3456bdd0d 100644 > #endif > > #ifndef NO_LIBGEN_H > -@@ -1471,14 +1472,16 @@ int open_nofollow(const char *path, int flags); > +@@ -1479,14 +1480,16 @@ int open_nofollow(const char *path, int flags); > #endif > > #ifndef _POSIX_THREAD_SAFE_FUNCTIONS > diff --git a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch > index 9e3c9b662c..9a9d2362b0 100644 > --- a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch > +++ b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch > @@ -1,4 +1,4 @@ > -From 6d406390b870fdb2cd9d18b12ebfabc12f5096df Mon Sep 17 00:00:00 2001 > +From 1528273a611e331bfce4da1d4fb0f76d9463ab02 Mon Sep 17 00:00:00 2001 > From: Jeff King <peff@peff.net> > Date: Fri, 2 Dec 2022 06:05:38 -0500 > Subject: [PATCH] git-compat-util: undefine system names before redeclaring > @@ -22,14 +22,14 @@ defensive about the other macro wrappers added in the previous patch. > > Signed-off-by: Jeff King <peff@peff.net> > Signed-off-by: Junio C Hamano <gitster@pobox.com> > -[Bagas: cherry-picked from e1a95b78d8a26762ea04332de8b7c3878da51522 on next branch] > +[Bagas: refresh against v2.39.1] > Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> > --- > git-compat-util.h | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/git-compat-util.h b/git-compat-util.h > -index e3456bdd0d..211861da0f 100644 > +index f6882b9b50..dadb9e55cb 100644 > --- a/git-compat-util.h > +++ b/git-compat-util.h > @@ -346,6 +346,7 @@ static inline int git_setitimer(int which, > @@ -40,7 +40,7 @@ index e3456bdd0d..211861da0f 100644 > #define setitimer(which,value,ovalue) git_setitimer(which,value,ovalue) > #endif > > -@@ -1480,6 +1481,9 @@ static inline void git_funlockfile(FILE *fh) > +@@ -1488,6 +1489,9 @@ static inline void git_funlockfile(FILE *fh) > { > ; /* nothing */ > } > > When the refresh is applied, don't forget to add: > > Co-developed-by: Bagas Sanjaya <bagasdotme@gmail.com> > > Thanks. >
On 1/20/23 03:42, Peter Seiderer wrote: > Hello *, > > On Thu, 19 Jan 2023 15:10:04 +0700, Bagas Sanjaya <bagasdotme@gmail.com> wrote: > >> On Wed, Jan 18, 2023 at 10:35:17PM +0100, Peter Seiderer wrote: >>> - fixes CVE-2022-41903 and CVE-2022-23521 >>> >>> For details see [1]. >>> >>> [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/ >>> >> >> Ah! I'm about to submit the same bump. My bump builds fine, so I think >> it is also applicable to yours. >> >> Tested-by: Bagas Sanjaya <bagasdotme@gmail.com> > > Thanks for confirmation... > >> >>> Signed-off-by: Peter Seiderer <ps.report@gmx.net> >>> --- >>> package/git/git.hash | 2 +- >>> package/git/git.mk | 2 +- >>> 2 files changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/package/git/git.hash b/package/git/git.hash >>> index 57a77b2810..75398896e5 100644 >>> --- a/package/git/git.hash >>> +++ b/package/git/git.hash >>> @@ -1,5 +1,5 @@ >>> # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc >>> -sha256 ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b git-2.39.0.tar.xz >>> +sha256 40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161 git-2.39.1.tar.xz >>> # Locally calculated >>> sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING >>> sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 >>> diff --git a/package/git/git.mk b/package/git/git.mk >>> index 9918d4c1ef..1d728e1964 100644 >>> --- a/package/git/git.mk >>> +++ b/package/git/git.mk >>> @@ -4,7 +4,7 @@ >>> # >>> ################################################################################ >>> >>> -GIT_VERSION = 2.39.0 >>> +GIT_VERSION = 2.39.1 >>> GIT_SOURCE = git-$(GIT_VERSION).tar.xz >>> GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git >>> GIT_LICENSE = GPL-2.0, LGPL-2.1+ >> >> The package patches apply here (with fuzz), so you need to refresh these >> against v2.39.1: > > Matter of taste (?), but for my taste unneeded code churn... as long as the > patches apply unchanged... > The fuzziness when applying the patch is due to commit 48050c42c7 (pretty: fix integer overflow in wrapping format, 2022-12-01). IMO, in any case, when a new upstream version is released, any out-of-tree patches (like ones Buildroot ship) should be refreshed in order for them to be applied cleanly. Thanks.
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes: > - fixes CVE-2022-41903 and CVE-2022-23521 > For details see [1]. > [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/ > Signed-off-by: Peter Seiderer <ps.report@gmx.net> Committed after adjusting the summary to make it clear that this is a security bump, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes: >> - fixes CVE-2022-41903 and CVE-2022-23521 >> For details see [1]. >> [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/ >> Signed-off-by: Peter Seiderer <ps.report@gmx.net> > Committed after adjusting the summary to make it clear that this is a > security bump, thanks. For 2022.02.x / 2022.11.x I have instead bumped to 2.31.6, which contains the same security fixes.
diff --git a/package/git/git.hash b/package/git/git.hash index 57a77b2810..75398896e5 100644 --- a/package/git/git.hash +++ b/package/git/git.hash @@ -1,5 +1,5 @@ # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc -sha256 ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b git-2.39.0.tar.xz +sha256 40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161 git-2.39.1.tar.xz # Locally calculated sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 diff --git a/package/git/git.mk b/package/git/git.mk index 9918d4c1ef..1d728e1964 100644 --- a/package/git/git.mk +++ b/package/git/git.mk @@ -4,7 +4,7 @@ # ################################################################################ -GIT_VERSION = 2.39.0 +GIT_VERSION = 2.39.1 GIT_SOURCE = git-$(GIT_VERSION).tar.xz GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git GIT_LICENSE = GPL-2.0, LGPL-2.1+
- fixes CVE-2022-41903 and CVE-2022-23521 For details see [1]. [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/ Signed-off-by: Peter Seiderer <ps.report@gmx.net> --- package/git/git.hash | 2 +- package/git/git.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)