[v1] package/git: bump version to 2.39.1

Message ID	20230118213517.5946-1-ps.report@gmx.net
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> From: Peter Seiderer <ps.report@gmx.net> To: buildroot@buildroot.org Date: Wed, 18 Jan 2023 22:35:17 +0100 Message-Id: <20230118213517.5946-1-ps.report@gmx.net> MIME-Version: 1.0 UI-OutboundReport: notjunk:1;M01:P0:6rgeHWqY+Zg=;ptq3NrIC0CxfIlf3g6WET1fR+ha FCg2Pn1SR2/aOe02/vXMC+oW62LB/kYzNzPhYKuecy2BNrxbUyYlHOK7NXqgTVoYyOb1R8/4g 9BQbUJdRXX6qPxL78MIMcteoBv1jX9XvrBYbKyDxYxA+hfyLNvXlvfyR0pWNrPlElARGyeBc/ rxPjxhynmp6Ct7ufuGN00NXHoV2vU1+MVFpqWBJELb9dFBh60m6oUugy1WKrDzixPLTcjtzZR knrck34B8hrMwB1tlSeqiLBHuil4teKfz0WnBCeFKGGUoqqsiZxzfv+ZwhazvvVHppkn4i0uP +UxVly9RHkSQVRGV92pp/gq4UgMWa4+scHWweNx9QkNNz7pfCLsq+NgXzgQiG1MOCkg7L8vSr b0J6r0XPfeSJkgaETFJ6TBr3bOTP7AkwAcTzscnfbJ9JTGq4K8aHu1hs7Bpzgp4mbY5KDrOx9 xFp117EkdSKTBoSACJWCjfWDz5ZOCAFBhxojhbkT82mryGKUYnSqZi5BcjI2w/ID1knUu8CJk 1ntuoQvDec2N/F7JF4+RhjqNSxz9yLqoWEUTbtQXBidGTdplupN88n7fHEu324A/KBR+P1bS2 7jBxlBenrk0myQs22pEsNuqcJaeY4/bO4fHS6C8y8mGKM25POE9RF1QogAE/1P+7dfipUvFvB i0uUFg57GH54rv8UP7uwK3l9OrERKcfnDNzQSZmaWCwGDCszc3WNhOrctrFJnkP1LEFt13Kzg UVcAG3hTFHxEE54Pax0ziaRiu5Nq4C8lvTilcijMoc50wLhJxm87QqylSqIGFOZXUN5RMtb5B 442s4lkI8ka4SaiSHvIiLvsWcIkICynpRyTww9QdZKOk8mQdGL2tQsdWnzdnd1qj0ROtDAl8m 9gnOv3gCD/wKdv1XUDPhxkb32+9+OlnQ5zuRbrPffX6ZrbgNGbGmFpLWYWgLxjAHoJC53+1WI a3PpC7aApT7Z/txnI5uEHmiwQ7M= X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1674077718; bh=T1Bo/ONTAlwDkFbbYv5DFuAtN0DPlevAp6eXMcvUz/w=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=SHN81BXtIlgHLUmYCIg8Qb/yiBfcgk5Ua9EyPqb+01lsESzeYqTVwSkXb5btixXaR COgffoQkesjRw4BVyFptJ2alGb6ojAOtIcJqdvvMIEL6ZYFwTw1tLWOsqchL0mB3bO EooWgtzj0/WuOg5tt79BwU7g5DOg8woK2tvNPPEEhem2BaEpIg21rLjWqMZkVSn9D2 jnYjYPUeg/Y9bYk+z9+PrzO7C6eyQ1ublhRGo2ycFkEq/AlRD0lAfQ9Bc3Lhhtsdsg qRqvhES3NL0NKxohaFByhp3SVoT2wb5tuL3BXWeYxY089JdTSlHaEfephy06b+ZBZP YWnZTW8rCVzbg== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=s31663417 header.b=SHN81BXt Subject: [Buildroot] [PATCH v1] package/git: bump version to 2.39.1 Precedence: list Cc: Matt Weber <matthew.weber@collins.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[v1] package/git: bump version to 2.39.1 \| expand [v1] package/git: bump version to 2.39.1

Peter Seiderer Jan. 18, 2023, 9:35 p.m. UTC

- fixes CVE-2022-41903 and CVE-2022-23521

For details see [1].

[1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
 package/git/git.hash | 2 +-
 package/git/git.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Bagas Sanjaya Jan. 19, 2023, 8:10 a.m. UTC | #1

On Wed, Jan 18, 2023 at 10:35:17PM +0100, Peter Seiderer wrote:
> - fixes CVE-2022-41903 and CVE-2022-23521
> 
> For details see [1].
> 
> [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/
> 

Ah! I'm about to submit the same bump. My bump builds fine, so I think
it is also applicable to yours.

Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>

> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> ---
>  package/git/git.hash | 2 +-
>  package/git/git.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/git/git.hash b/package/git/git.hash
> index 57a77b2810..75398896e5 100644
> --- a/package/git/git.hash
> +++ b/package/git/git.hash
> @@ -1,5 +1,5 @@
>  # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc
> -sha256  ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b  git-2.39.0.tar.xz
> +sha256  40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161  git-2.39.1.tar.xz
>  # Locally calculated
>  sha256  5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e  COPYING
>  sha256  1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a  LGPL-2.1
> diff --git a/package/git/git.mk b/package/git/git.mk
> index 9918d4c1ef..1d728e1964 100644
> --- a/package/git/git.mk
> +++ b/package/git/git.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -GIT_VERSION = 2.39.0
> +GIT_VERSION = 2.39.1
>  GIT_SOURCE = git-$(GIT_VERSION).tar.xz
>  GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git
>  GIT_LICENSE = GPL-2.0, LGPL-2.1+

The package patches apply here (with fuzz), so you need to refresh these
against v2.39.1:

---- >8 ----
diff --git a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch
index dbde87940a..cb6c3a6dbb 100644
--- a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch
+++ b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch
@@ -1,4 +1,4 @@
-From 385f67eb2254edb1fb4cf523e5e3d5a8f123d72c Mon Sep 17 00:00:00 2001
+From a70fa5257ee347fa3a21734b7066803064657445 Mon Sep 17 00:00:00 2001
 From: Jeff King <peff@peff.net>
 Date: Wed, 30 Nov 2022 16:15:14 -0500
 Subject: [PATCH] git-compat-util: avoid redefining system function names
@@ -57,14 +57,14 @@ but without redeclaring the system function names.
 
 Signed-off-by: Jeff King <peff@peff.net>
 Signed-off-by: Junio C Hamano <gitster@pobox.com>
-[Bagas: cherry-picked from e0c08a4f738b3dea7a4e8fe3511c323cf1f41942 on next branch]
+[Bagas: refresh against v2.39.1]
 Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
 ---
  git-compat-util.h | 13 ++++++++-----
  1 file changed, 8 insertions(+), 5 deletions(-)
 
 diff --git a/git-compat-util.h b/git-compat-util.h
-index a76d0526f7..e3456bdd0d 100644
+index af05077560..f6882b9b50 100644
 --- a/git-compat-util.h
 +++ b/git-compat-util.h
 @@ -341,11 +341,12 @@ struct itimerval {
@@ -83,7 +83,7 @@ index a76d0526f7..e3456bdd0d 100644
  #endif
  
  #ifndef NO_LIBGEN_H
-@@ -1471,14 +1472,16 @@ int open_nofollow(const char *path, int flags);
+@@ -1479,14 +1480,16 @@ int open_nofollow(const char *path, int flags);
  #endif
  
  #ifndef _POSIX_THREAD_SAFE_FUNCTIONS
diff --git a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch
index 9e3c9b662c..9a9d2362b0 100644
--- a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch
+++ b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch
@@ -1,4 +1,4 @@
-From 6d406390b870fdb2cd9d18b12ebfabc12f5096df Mon Sep 17 00:00:00 2001
+From 1528273a611e331bfce4da1d4fb0f76d9463ab02 Mon Sep 17 00:00:00 2001
 From: Jeff King <peff@peff.net>
 Date: Fri, 2 Dec 2022 06:05:38 -0500
 Subject: [PATCH] git-compat-util: undefine system names before redeclaring
@@ -22,14 +22,14 @@ defensive about the other macro wrappers added in the previous patch.
 
 Signed-off-by: Jeff King <peff@peff.net>
 Signed-off-by: Junio C Hamano <gitster@pobox.com>
-[Bagas: cherry-picked from e1a95b78d8a26762ea04332de8b7c3878da51522 on next branch]
+[Bagas: refresh against v2.39.1]
 Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
 ---
  git-compat-util.h | 4 ++++
  1 file changed, 4 insertions(+)
 
 diff --git a/git-compat-util.h b/git-compat-util.h
-index e3456bdd0d..211861da0f 100644
+index f6882b9b50..dadb9e55cb 100644
 --- a/git-compat-util.h
 +++ b/git-compat-util.h
 @@ -346,6 +346,7 @@ static inline int git_setitimer(int which,
@@ -40,7 +40,7 @@ index e3456bdd0d..211861da0f 100644
  #define setitimer(which,value,ovalue) git_setitimer(which,value,ovalue)
  #endif
  
-@@ -1480,6 +1481,9 @@ static inline void git_funlockfile(FILE *fh)
+@@ -1488,6 +1489,9 @@ static inline void git_funlockfile(FILE *fh)
  {
  	; /* nothing */
  }

When the refresh is applied, don't forget to add:

Co-developed-by: Bagas Sanjaya <bagasdotme@gmail.com>

Thanks.

Peter Seiderer Jan. 19, 2023, 8:42 p.m. UTC | #2

Hello *,

On Thu, 19 Jan 2023 15:10:04 +0700, Bagas Sanjaya <bagasdotme@gmail.com> wrote:

> On Wed, Jan 18, 2023 at 10:35:17PM +0100, Peter Seiderer wrote:
> > - fixes CVE-2022-41903 and CVE-2022-23521
> >
> > For details see [1].
> >
> > [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/
> >
>
> Ah! I'm about to submit the same bump. My bump builds fine, so I think
> it is also applicable to yours.
>
> Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>

Thanks for confirmation...

>
> > Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > ---
> >  package/git/git.hash | 2 +-
> >  package/git/git.mk   | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/package/git/git.hash b/package/git/git.hash
> > index 57a77b2810..75398896e5 100644
> > --- a/package/git/git.hash
> > +++ b/package/git/git.hash
> > @@ -1,5 +1,5 @@
> >  # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc
> > -sha256  ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b  git-2.39.0.tar.xz
> > +sha256  40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161  git-2.39.1.tar.xz
> >  # Locally calculated
> >  sha256  5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e  COPYING
> >  sha256  1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a  LGPL-2.1
> > diff --git a/package/git/git.mk b/package/git/git.mk
> > index 9918d4c1ef..1d728e1964 100644
> > --- a/package/git/git.mk
> > +++ b/package/git/git.mk
> > @@ -4,7 +4,7 @@
> >  #
> >  ################################################################################
> >
> > -GIT_VERSION = 2.39.0
> > +GIT_VERSION = 2.39.1
> >  GIT_SOURCE = git-$(GIT_VERSION).tar.xz
> >  GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git
> >  GIT_LICENSE = GPL-2.0, LGPL-2.1+
>
> The package patches apply here (with fuzz), so you need to refresh these
> against v2.39.1:

Matter of taste (?), but for my taste unneeded code churn... as long as the
patches apply unchanged...

Regards,
Peter


>
> ---- >8 ----
> diff --git a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch
> index dbde87940a..cb6c3a6dbb 100644
> --- a/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch
> +++ b/package/git/0001-git-compat-util-avoid-redefining-system-function-nam.patch
> @@ -1,4 +1,4 @@
> -From 385f67eb2254edb1fb4cf523e5e3d5a8f123d72c Mon Sep 17 00:00:00 2001
> +From a70fa5257ee347fa3a21734b7066803064657445 Mon Sep 17 00:00:00 2001
>  From: Jeff King <peff@peff.net>
>  Date: Wed, 30 Nov 2022 16:15:14 -0500
>  Subject: [PATCH] git-compat-util: avoid redefining system function names
> @@ -57,14 +57,14 @@ but without redeclaring the system function names.
>
>  Signed-off-by: Jeff King <peff@peff.net>
>  Signed-off-by: Junio C Hamano <gitster@pobox.com>
> -[Bagas: cherry-picked from e0c08a4f738b3dea7a4e8fe3511c323cf1f41942 on next branch]
> +[Bagas: refresh against v2.39.1]
>  Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
>  ---
>   git-compat-util.h | 13 ++++++++-----
>   1 file changed, 8 insertions(+), 5 deletions(-)
>
>  diff --git a/git-compat-util.h b/git-compat-util.h
> -index a76d0526f7..e3456bdd0d 100644
> +index af05077560..f6882b9b50 100644
>  --- a/git-compat-util.h
>  +++ b/git-compat-util.h
>  @@ -341,11 +341,12 @@ struct itimerval {
> @@ -83,7 +83,7 @@ index a76d0526f7..e3456bdd0d 100644
>   #endif
>
>   #ifndef NO_LIBGEN_H
> -@@ -1471,14 +1472,16 @@ int open_nofollow(const char *path, int flags);
> +@@ -1479,14 +1480,16 @@ int open_nofollow(const char *path, int flags);
>   #endif
>
>   #ifndef _POSIX_THREAD_SAFE_FUNCTIONS
> diff --git a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch
> index 9e3c9b662c..9a9d2362b0 100644
> --- a/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch
> +++ b/package/git/0002-git-compat-util-undefine-system-names-before-redecla.patch
> @@ -1,4 +1,4 @@
> -From 6d406390b870fdb2cd9d18b12ebfabc12f5096df Mon Sep 17 00:00:00 2001
> +From 1528273a611e331bfce4da1d4fb0f76d9463ab02 Mon Sep 17 00:00:00 2001
>  From: Jeff King <peff@peff.net>
>  Date: Fri, 2 Dec 2022 06:05:38 -0500
>  Subject: [PATCH] git-compat-util: undefine system names before redeclaring
> @@ -22,14 +22,14 @@ defensive about the other macro wrappers added in the previous patch.
>
>  Signed-off-by: Jeff King <peff@peff.net>
>  Signed-off-by: Junio C Hamano <gitster@pobox.com>
> -[Bagas: cherry-picked from e1a95b78d8a26762ea04332de8b7c3878da51522 on next branch]
> +[Bagas: refresh against v2.39.1]
>  Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
>  ---
>   git-compat-util.h | 4 ++++
>   1 file changed, 4 insertions(+)
>
>  diff --git a/git-compat-util.h b/git-compat-util.h
> -index e3456bdd0d..211861da0f 100644
> +index f6882b9b50..dadb9e55cb 100644
>  --- a/git-compat-util.h
>  +++ b/git-compat-util.h
>  @@ -346,6 +346,7 @@ static inline int git_setitimer(int which,
> @@ -40,7 +40,7 @@ index e3456bdd0d..211861da0f 100644
>   #define setitimer(which,value,ovalue) git_setitimer(which,value,ovalue)
>   #endif
>
> -@@ -1480,6 +1481,9 @@ static inline void git_funlockfile(FILE *fh)
> +@@ -1488,6 +1489,9 @@ static inline void git_funlockfile(FILE *fh)
>   {
>   	; /* nothing */
>   }
>
> When the refresh is applied, don't forget to add:
>
> Co-developed-by: Bagas Sanjaya <bagasdotme@gmail.com>
>
> Thanks.
>

Bagas Sanjaya Jan. 20, 2023, 2:41 a.m. UTC | #3

On 1/20/23 03:42, Peter Seiderer wrote:
> Hello *,
> 
> On Thu, 19 Jan 2023 15:10:04 +0700, Bagas Sanjaya <bagasdotme@gmail.com> wrote:
> 
>> On Wed, Jan 18, 2023 at 10:35:17PM +0100, Peter Seiderer wrote:
>>> - fixes CVE-2022-41903 and CVE-2022-23521
>>>
>>> For details see [1].
>>>
>>> [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/
>>>
>>
>> Ah! I'm about to submit the same bump. My bump builds fine, so I think
>> it is also applicable to yours.
>>
>> Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
> 
> Thanks for confirmation...
> 
>>
>>> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
>>> ---
>>>  package/git/git.hash | 2 +-
>>>  package/git/git.mk   | 2 +-
>>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/package/git/git.hash b/package/git/git.hash
>>> index 57a77b2810..75398896e5 100644
>>> --- a/package/git/git.hash
>>> +++ b/package/git/git.hash
>>> @@ -1,5 +1,5 @@
>>>  # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc
>>> -sha256  ba199b13fb5a99ca3dec917b0bd736bc0eb5a9df87737d435eddfdf10d69265b  git-2.39.0.tar.xz
>>> +sha256  40a38a0847b30c371b35873b3afcf123885dd41ea3ecbbf510efa97f3ce5c161  git-2.39.1.tar.xz
>>>  # Locally calculated
>>>  sha256  5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e  COPYING
>>>  sha256  1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a  LGPL-2.1
>>> diff --git a/package/git/git.mk b/package/git/git.mk
>>> index 9918d4c1ef..1d728e1964 100644
>>> --- a/package/git/git.mk
>>> +++ b/package/git/git.mk
>>> @@ -4,7 +4,7 @@
>>>  #
>>>  ################################################################################
>>>
>>> -GIT_VERSION = 2.39.0
>>> +GIT_VERSION = 2.39.1
>>>  GIT_SOURCE = git-$(GIT_VERSION).tar.xz
>>>  GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git
>>>  GIT_LICENSE = GPL-2.0, LGPL-2.1+
>>
>> The package patches apply here (with fuzz), so you need to refresh these
>> against v2.39.1:
> 
> Matter of taste (?), but for my taste unneeded code churn... as long as the
> patches apply unchanged...
> 

The fuzziness when applying the patch is due to commit 48050c42c7 (pretty:
fix integer overflow in wrapping format, 2022-12-01).

IMO, in any case, when a new upstream version is released, any out-of-tree
patches (like ones Buildroot ship) should be refreshed in order for them
to be applied cleanly.

Thanks.

Peter Korsgaard Jan. 20, 2023, 7:51 a.m. UTC | #4

>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:

 > - fixes CVE-2022-41903 and CVE-2022-23521
 > For details see [1].

 > [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/

 > Signed-off-by: Peter Seiderer <ps.report@gmx.net>

Committed after adjusting the summary to make it clear that this is a
security bump, thanks.

Peter Korsgaard Feb. 5, 2023, 12:07 p.m. UTC | #5

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
 >> - fixes CVE-2022-41903 and CVE-2022-23521
 >> For details see [1].

 >> [1] https://lore.kernel.org/git/xmqq7cxl9h0i.fsf@gitster.g/

 >> Signed-off-by: Peter Seiderer <ps.report@gmx.net>

 > Committed after adjusting the summary to make it clear that this is a
 > security bump, thanks.

For 2022.02.x / 2022.11.x I have instead bumped to 2.31.6, which
contains the same security fixes.

[v1] package/git: bump version to 2.39.1

Commit Message

Comments

Patch