From patchwork Wed Dec 11 11:18:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1207604 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="HWmJ/vLJ"; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47XvZQ0ScVz9sRH for ; Wed, 11 Dec 2019 22:18:51 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 23E6E88555; Wed, 11 Dec 2019 11:18:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3i2EqjXJxfPl; Wed, 11 Dec 2019 11:18:49 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 28C5887B08; Wed, 11 Dec 2019 11:18:49 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 459901BF4D7 for ; Wed, 11 Dec 2019 11:18:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 3EBDD860FF for ; Wed, 11 Dec 2019 11:18:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s+ss8WaCKJL3 for ; Wed, 11 Dec 2019 11:18:47 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) by whitealder.osuosl.org (Postfix) with ESMTPS id C5C8E87916 for ; Wed, 11 Dec 2019 11:18:46 +0000 (UTC) Received: by mail-wm1-f68.google.com with SMTP id p17so2202727wmb.0 for ; Wed, 11 Dec 2019 03:18:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ri1AnbW5lZd7uRQDvq6aEc7NGmMNe4jc1s+ojSfub3c=; b=HWmJ/vLJJj7s8fwuBjEUPijlkD82uLLLf5nSfR1mPN4EByB7B3WIC+62OzHeucFKLH O5B/xKdZyKWu340VCfakUM1rCgjs/OnkLpYx9BZebj90ct92a0OuhIqpGmrSmUI8gUja GMAAyHcCE6JxHL2RCuV1xbjgxhXFyuutDjtoUAQTaN3p0jLQB/V2tKzNYNF5UwouL7Q9 yq4HbyvgM77L1hIIJpFDqnQnKG160YGJFxQQr3/feztiTPjuYSTgIpEBK+rm6wa3Io9d NuWOZaasWlgZuG1QBVpM59ieFY0bwu+ZKRrXcXzqQiDt2d7QszLjPv/eH0y1Lyykfu+g pR4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=ri1AnbW5lZd7uRQDvq6aEc7NGmMNe4jc1s+ojSfub3c=; b=PHZ5F+zhrN01jafSqOofkT+Elt1QTrf740/OWYdXDflSIbAnyc+5LteOkitb5yAmjX RaYb+rQXBfBHNdgXiRCzIBsv3xZ2LHbBQt/efrWcwTV0Kjy6/UTUdqSNHv1a/UQPcJtf 2VAcY7yglN2RI2b2dhqaHCTTDqpt/DktqgOen1PEU2vXMWZKacjLG6frrN/dCGfVGGLm X9DrjrmxPLr5y4/d8DS7r3IFSgGiQpxmbLPkuuR4YJFILm0kgm1HdNc2LFMbxdvFNpG7 8IsAClZvly3OqPmLUsDcnSu/BMeVDIKnL31yxagduNrLlimKJiWXE+WwliqD9u6U8r5d xvmg== X-Gm-Message-State: APjAAAUdlNW3dK2KfOACBqgugyPpa5vD6Zo+9fQZ7XCOdXQTfxaRn+T8 plugvTklO854WKadgcDmeqnKokA3 X-Google-Smtp-Source: APXvYqxtNPKF+mvTh3UoUS3GGqipA0JyR6lwtvXGgiKIfXEVc90UI1wGu+Q1kdT2J82gCHTW31f+Fg== X-Received: by 2002:a1c:2705:: with SMTP id n5mr3173507wmn.68.1576063124385; Wed, 11 Dec 2019 03:18:44 -0800 (PST) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id p17sm1912449wrx.20.2019.12.11.03.18.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2019 03:18:43 -0800 (PST) Received: from peko by dell.be.48ers.dk with local (Exim 4.92) (envelope-from ) id 1if00w-0006cq-QF; Wed, 11 Dec 2019 12:18:42 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Wed, 11 Dec 2019 12:18:36 +0100 Message-Id: <20191211111836.25423-1-peter@korsgaard.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] package/git: security bump to version 2.24.1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Korsgaard Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security vulnerabilities: * CVE-2019-1348: The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. * CVE-2019-1349: When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. We now require the directory to be empty. * CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs. * CVE-2019-1351: While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via subst : . Git mistook such paths for relative paths, allowing writing outside of the worktree while cloning. * CVE-2019-1352: Git was unaware of NTFS Alternate Data Streams, allowing files inside the .git/ directory to be overwritten during a clone. * CVE-2019-1353: When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. * CVE-2019-1354: Filenames on Linux/Unix can contain backslashes. On Windows, backslashes are directory separators. Git did not use to refuse to write out tracked files with such filenames. * CVE-2019-1387: Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. Signed-off-by: Peter Korsgaard --- package/git/git.hash | 2 +- package/git/git.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/git/git.hash b/package/git/git.hash index 40cd8a169f..74bf334b78 100644 --- a/package/git/git.hash +++ b/package/git/git.hash @@ -1,4 +1,4 @@ # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc -sha256 9f71d61973626d8b28c4cdf8e2484b4bf13870ed643fed982d68b2cfd754371b git-2.24.0.tar.xz +sha256 723f24dce8fdd621a308b6187553fce7d5244205c065fe0a3aebd0b7c3f88562 git-2.24.1.tar.xz sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 diff --git a/package/git/git.mk b/package/git/git.mk index 4fec24bf27..a5c8669fc9 100644 --- a/package/git/git.mk +++ b/package/git/git.mk @@ -4,7 +4,7 @@ # ################################################################################ -GIT_VERSION = 2.24.0 +GIT_VERSION = 2.24.1 GIT_SOURCE = git-$(GIT_VERSION).tar.xz GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git GIT_LICENSE = GPL-2.0, LGPL-2.1+