bug#55399: guix system reconfigure fails on channel validation

bug#55399: guix system reconfigure fails on channel validation

[André Batista]

Hello Guix!

Recently, I've not been able to reconfigure some of my guix systems
because guix fails to forward validate the commits in between the
current system deployment and the newer one. This appears to be
related to the new libgit2 version 1.4.3[1][2], which addressed CVE
2022-24765, since there was no change to the related guix routines
on the time lapse since the last deploy.

This is the error I'm getting:

$ sudo guix system --fallback -c 3 -M 3  reconfigure myconfig.scm
Backtrace:
          19 (primitive-load "/home/user/.config/guix/current/bin/g?")
In guix/ui.scm:
   2230:7 18 (run-guix . _)
  2193:10 17 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1752:10 16 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
    829:3 15 (_)
    809:4 14 (call-with-status-report _ _)
In guix/scripts/system.scm:
   1253:4 13 (_)
In ice-9/boot-9.scm:
  1752:10 12 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
   658:37 11 (thunk)
   1320:8 10 (call-with-build-handler #<procedure b445f18 at guix/u?> ?)
  2129:25  9 (run-with-store #<store-connection 256.99 b0934d8> _ # _ ?)
In guix/scripts/system.scm:
  1277:15  8 (_ _)
    819:5  7 (perform-action reconfigure #<<image> name: #f format:?> ?)
In guix/scripts/system/reconfigure.scm:
    345:3  6 (check-forward-update _ #:current-channels _)
In srfi/srfi-1.scm:
   691:23  5 (filter-map #<procedure ba4c460 at guix/scripts/syst?> . #)
In guix/scripts/system/reconfigure.scm:
   352:37  4 (_ #<<channel> name: guix url: "/src/guix.git" branch: ?>)
In guix/git.scm:
    469:7  3 (update-cached-checkout _ #:ref _ #:recursive? _ # _ # _ ?)
In git/bindings.scm:
     77:2  2 (raise-git-error _)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Git error: repository path '/src/guix.git/' is not owned by current user


-----

And these are the commits being compared:

$ guix system describe
Generation 214  May 06 2022 22:47:43    (current)
  file name: /var/guix/profiles/system-214-link
  canonical file name: /gnu/store/b0wrzz8sxqi9hywpqz29cm73l9adxjy9-system
  label: GNU with Linux-Libre-Atom 5.17.5
  bootloader: grub
  root device: label: "rootfs"
  kernel: /gnu/store/xmdskyk85sypr4wgf5iwg5iid08l4aiq-linux-libre-atom-5.17.5/bzImage
  channels:
    guix:
      repository URL: /src/guix.git
      branch: master
      commit: ee70ed5bf50e781a6a43985211aa763e28db62b9
  configuration file: /gnu/store/g653hksfz0iwnbpynaq2mx4nv7ayb7r7-configuration.scm


$ guix describe
Generation 200  May 12 2022 13:48:01    (current)
  guix a1cb645
    repository URL: /src/guix.git
    branch: master
    commit: a1cb645d83d085382eaf64f4c097642aa47c297a

Any thoughts?

1. https://github.com/libgit2/libgit2/blob/v1.4.3/docs/changelog.md
2. https://github.com/libgit2/libgit2/commit/0cc4a70db0942f65528f4877be14a6a987fe3c64
3. https://github.blog/2022-04-12-git-security-vulnerability-announced/

bug#55399: guix system reconfigure fails on channel validation

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 210 bytes --]

André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> Any thoughts?

For now, let 'guile-git' use the libgit2-1.3 variant, look into
relaxing the ‘is owned by’ check later?

Greetings,
Maxime

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

bug#55399: guix system reconfigure fails on channel validation

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 353 bytes --]

André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> Any thoughts?

According to
<https://github.com/libgit2/libgit2/pull/6267/commits/574b5ee7bb112987443916cdedcfc8e274121e9d>,
 the ownership check can be relaxed by setting an option.  The guile-
git library would need to be adjusted to support the option though.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

bug#55399: Temporary fix

[André Batista]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

Hi Maxime!

sex 13 mai 2022 às 17:28:29 (1652473709), maximedevos@telenet.be enviou:
> André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> > Any thoughts?
> 
> According to
> <https://github.com/libgit2/libgit2/pull/6267/commits/574b5ee7bb112987443916cdedcfc8e274121e9d>,
>  the ownership check can be relaxed by setting an option.  The guile-
> git library would need to be adjusted to support the option though.

Thanks for your pointers. I've only had a substitute* hammer and this
certainly seemed like a loose nail, so I've hammered my way through.

The patch bellow addresses the issue on guix side only and it was
applied/tested locally before b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab
So this later commit would need to be reverted, otherwise guix will
not use the new libgit2 v1.4.3 anyway.

Anyway, the proper think to do is to update guile-git, so I'll be
opening an issue there.

Happy hacking!



[-- Attachment #2: guile-git.patch --]
[-- Type: text/plain, Size: 4245 bytes --]

From 370bf9bec714747244da00a7fd793da04c49c523 Mon Sep 17 00:00:00 2001
In-Reply-To: <c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be>
References: <c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Tue, 17 May 2022 19:18:49 -0300
Subject: [PATCH] guix/git: Disable owner validation when updating cache.
To: 55399@debbugs.gnu.org
Cc: maximedevos@telenet.be

---
 gnu/packages/guile.scm | 40 +++++++++++++++++++++++++++++++++++++++-
 guix/git.scm           |  3 +++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 9d58c8d4cd..b120f3eefe 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -816,6 +816,44 @@ (define-public guile-git
               (sha256
                (base32
                 "11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (substitute* "git/settings.scm"
+                    (("set-user-agent!))")
+                     (string-append "set-user-agent!\n"
+                                    "            set-owner-validation!))"))
+                    (("GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)" m)
+                     (string-append m "\n" "(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)"))
+
+                    (("(GIT_OPT_SET_SSL_CIPHERS).*" _ m)
+                     (string-append m " 16)\n"))
+
+                    (("(GIT_OPT_GET_USER_AGENT).*" _ m)
+                     (string-append m " 17)\n"
+                       "(define GIT_OPT_ENABLE_OFS_DELTA 18)\n"
+                       "(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)\n"
+                       "(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)\n"
+                       "(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)\n"
+                       "(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)\n"
+                       "(define GIT_OPT_SET_ALLOCATOR 23)\n"
+                       "(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)\n"
+                       "(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)\n"
+                       "(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)\n"
+                       "(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)\n"
+                       "(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)\n"
+                       "(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)\n"
+                       "(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)\n"
+                       "(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)\n"
+                       "(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)\n"
+                       "(define GIT_OPT_GET_EXTENSIONS 33)\n"
+                       "(define GIT_OPT_SET_EXTENSIONS 34)\n"
+                       "(define GIT_OPT_GET_OWNER_VALIDATION 35)\n"
+                       "(define GIT_OPT_SET_OWNER_VALIDATION 36)\n\n"
+                       "(define set-owner-validation!\n"
+                       "  (let  ((proc (libgit2->procedure* \"git_libgit2_opts\" (list int int))))\n"
+                       "    (lambda* (owner-validation)\n"
+                       "     (proc GIT_OPT_SET_OWNER_VALIDATION owner-validation))))\n")))))
               (patches (search-patches
                         "guile-git-adjust-for-libgit2-1.2.0.patch"))))
     (build-system gnu-build-system)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..ced6a9c62c 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -23,6 +23,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -463,6 +464,8 @@ (define canonical-ref
           (repository    (if cache-exists?
                              (repository-open cache-directory)
                              (clone/swh-fallback url ref cache-directory))))
+     ;; Disable owner validation for local repos see #55399
+     (set-owner-validation! 0)
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))

bug#55399: guix system reconfigure fails on channel validation

[Ludovic Courtès]

Hi André,

André Batista <nandre@riseup.net> skribis:

> Anyway, the proper think to do is to update guile-git, so I'll be
> opening an issue there.

Yes please!  You pretty much already have the code, so we could put
together a new Guile-Git release instead of carrying these modifications
in Guix proper.

(For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

Thanks!

Ludo’.

bug#55399: guix system reconfigure fails on channel validation

[André Batista]

Hi!

seg 23 mai 2022 às 16:18:52 (1653333532), ludo@gnu.org enviou:
> Yes please!  You pretty much already have the code, so we could put
> together a new Guile-Git release instead of carrying these modifications
> in Guix proper.

Done! Issue 26.

https://gitlab.com/guile-git/guile-git/-/issues/26

bug#55399: guix system reconfigure fails on channel validation

[André Batista]

[-- Attachment #1.1: Type: text/plain, Size: 404 bytes --]

Hi again,

seg 23 mai 2022 às 16:18:52 (1653333532), ludo@gnu.org enviou:
> ...
> (For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
> Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

After upgrading guile-git, the attached patches disables owner
validation and reverts the above commit which made Guix's guile-git
depend on libgit2 1.3 instead of latest.

Cheers!

[-- Attachment #1.2: guix.git.patch --]
[-- Type: text/plain, Size: 1653 bytes --]

From f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@gnu.org>
References: <87a6b85o37.fsf_-_@gnu.org>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
To: 55399@debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:17 -0300
Subject: [PATCH] guix: Disable owner validation when updating cached checkout

* guix/git.scm (update-cached-checkout): Disable owner validation
checks.
---
 guix/git.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..d5e12188a2 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2021 Kyle Meyer <kyle@kyleam.com>
 ;;; Copyright © 2021 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2022 André Batista <nandre@riseup.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -463,6 +465,8 @@ (define canonical-ref
           (repository    (if cache-exists?
                              (repository-open cache-directory)
                              (clone/swh-fallback url ref cache-directory))))
+     ;; Disable owner validation. See <https://issues.guix.gnu.org/55399>.
+     (set-owner-validation! #f)
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))
--
2.36.0

[-- Attachment #1.3: guix.guile.patch --]
[-- Type: text/plain, Size: 1216 bytes --]

From f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@gnu.org>
References: <87a6b85o37.fsf_-_@gnu.org>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
To: 55399@debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:18 -0300
Subject: [PATCH] gnu: guile-git: Use latest libgit2

* gnu/packages/guile.scm (guile-git) [inputs]: Use latest libgit2.
Reverts commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab.
---
 gnu/packages/guile.scm | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index a9e04cb476..138fb4d6bc 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -833,9 +833,7 @@ (define-public guile-git
     (native-inputs
      (list pkg-config autoconf automake texinfo guile-3.0 guile-bytestructures))
     (inputs
-     ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking Guix.  Use
-     ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternatives.
-     (list guile-3.0 libgit2-1.3))
+     (list guile-3.0 libgit2))
     (propagated-inputs
      (list guile-bytestructures))
     (synopsis "Guile bindings for libgit2")

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 667 bytes --]

bug#55399: guix system reconfigure fails on channel validation

[André Batista]

Hello,

ter 24 mai 2022 às 20:44:13 (1653435853), nandre@riseup.net enviou:
> seg 23 mai 2022 às 16:18:52 (1653333532), ludo@gnu.org enviou:
> > (For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
> > Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)
> 
> After upgrading guile-git, the attached patches disables owner
> validation and reverts the above commit which made Guix's guile-git
> depend on libgit2 1.3 instead of latest.

#61246 has an alternative solution to this issue. Newer libgit2
versions check for safe.directory configuration entries on user's
global scope. This means that instead of disabling owner validation
in guix code itself, users can exempt directories of their own
choosing. This is IMO a better solution and so the patches provided
here should be disregarded.

However, since libgit2 seems to have changed its API elsewhere after
1.3.x, I've avoided messing with guile-git inputs this time and so
it still depends on libgit2-1.3.

IMO, instead of upgrading libgit2 dependency and risk breaking
guile-git in unknown ways, we should work on revising guile-git's
conformance to latter libgit2 versions (it's currently on 1.5.1).
Meaning not trying to apply the patches Maxime provided, but
working upstream.

WDYT?

Cheers!

bug#55399: guix system reconfigure fails on channel validation

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 119 bytes --]

I'm preparing a _complete_ set of patches to Guix to fix this, I'll send 
them once tested.

Greetings,
Maxime.


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

bug#55399: [PATCH 1/2] guix: Disable owner validation.

[Maxime Devos]

The original patch disabled it only when updating cached checkouts, but the
disabling persisted afterwards, making it stateful. To avoid statefulness, it
is disabled during with-libgit2 instead.

For compatibility with guile-git versions that do not yet have
set-owner-validation!, the setting is skipped when set-owner-validation! does
not exist.

* guix/git.scm (update-cached-checkout): Disable owner validation checks.

Co-Authored-By: André Batista <nandre@riseup.net>
---
 guix/git.scm | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..0fe6e65549 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2021 Kyle Meyer <kyle@kyleam.com>
 ;;; Copyright © 2021 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2022 André Batista <nandre@riseup.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -117,6 +119,16 @@ (define-syntax-rule (with-libgit2 thunk ...)
     ;; but pointer finalizers used in guile-git may be called after shutdown,
     ;; resulting in a segfault. Hence, let's skip shutdown call for now.
     (libgit2-init!)
+    ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking some uses
+    ;; of Guix channels (see <https://issues.guix.gnu.org/55399>).  Disable
+    ;; the owner validation that does not fit in the security model in Guix.
+    ;;
+    ;; For compatibility with old guile-git that do not have
+    ;; 'set-owner-validation!', do nothing if 'set-owner-validation!'
+    ;; does not exist.
+    ((catch 'unbound-variable
+            (lambda () set-owner-validation!)
+            (lambda _ identity)) #false)
     (unless %certificates-initialized?
       (honor-system-x509-certificates!)
       (set! %certificates-initialized? #t))

base-commit: d519305d83d08058e4def2c4d72fe62102d9599d
prerequisite-patch-id: 62949e6148bb8aae2f792aaf4d54f2a136351d28
prerequisite-patch-id: 72191ec47cb3876c5fcd6233880dea7dfc1b165f
prerequisite-patch-id: bbfd96d673e491ddd684e8270c90347547dceaa5
prerequisite-patch-id: fbdac7446d0c3f529f313f89cb9ba975d469d7ac
prerequisite-patch-id: d0a5804a92d868c5ee6726e6e0555a8af25e442c
-- 
2.37.1

bug#55399: [PATCH 2/2] gnu: guile-git: Add patches to support owner validation, and use libgit2@1.4.3.

[Maxime Devos]

These two changes have to be done at the same time -- if the libgit2
dependency is updated first, then we would have a commit during which
"guix pull" is broken when using local channels (see:
<https://issues.guix.gnu.org/55399>).  And if the patches are added first,
then the build of guile-git breaks because the tests assume a new libgit2.

Together with the previous commit, this fixes
<https://issues.guix.gnu.org/55399>.

Tested with (first step):

$ ./pre-inst-env guix pull --url=$PWD
--commit=b22ddb51d8dfa4ab7f683c99ffc1fa6f44e0dc6b
--profile=../guix-with-libgit2 --disable-authentication
--channels=../channels.scm

where b22ddb51d8dfa4ab7f683c99ffc1fa6f44e0dc6b is the commit after applying
these two patches. Make sure to only put the Guix channel in ../channels.scm,
because of --disable-authentication.  This builds a Guix that uses the new
libgit2 and patched guile-git.  Then, it is tested that pulling still works
from a local checkout:

$ ../guix-with-libgit2/bin/guix pull --url=$PWD
--commit=c3d9ddbf3d34b58261ab9e03c794f5fbad34142d --channels=../channels.scm
--disable-authentication -p../another-guix

where c3d9ddbf3d34b58261ab9e03c794f5fbad34142d is a commit that hasn't been
seen before by the "guix pull" machinery.

* gnu/packages/patches/guile-git-fix-git-opt.patch: New patch.
* gnu/packages/patches/guile-git-set-owner-validation.patch: New patch.
* gnu/packages/patches/guile-git-test-owner-validation.patch: New patch.
* gnu/packages/guile.scm (guile-git)[source]{patches}: Add new patches.
* gnu/local.mk (dist_patch_DATA): Register new patches.
---
 gnu/local.mk                                  |   3 +
 gnu/packages/guile.scm                        |  15 +-
 .../patches/guile-git-fix-git-opt.patch       |  57 +++++++
 .../guile-git-set-owner-validation.patch      |  41 +++++
 .../guile-git-test-owner-validation.patch     | 153 ++++++++++++++++++
 5 files changed, 264 insertions(+), 5 deletions(-)
 create mode 100644 gnu/packages/patches/guile-git-fix-git-opt.patch
 create mode 100644 gnu/packages/patches/guile-git-set-owner-validation.patch
 create mode 100644 gnu/packages/patches/guile-git-test-owner-validation.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 412d512775..081f240157 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1244,6 +1244,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/guile-fibers-wait-for-io-readiness.patch \
   %D%/packages/patches/guile-gdbm-ffi-support-gdbm-1.14.patch	\
   %D%/packages/patches/guile-git-adjust-for-libgit2-1.2.0.patch \
+  %D%/packages/patches/guile-git-fix-git-opt.patch		\
+  %D%/packages/patches/guile-git-set-owner-validation.patch	\
+  %D%/packages/patches/guile-git-test-owner-validation.patch	\
   %D%/packages/patches/guile-present-coding.patch		\
   %D%/packages/patches/guile-rsvg-pkgconfig.patch		\
   %D%/packages/patches/guile-emacs-fix-configure.patch		\
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index d320763a61..87b35e2db2 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -16,7 +16,7 @@
 ;;; Copyright © 2018 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2019 Taylan Kammer <taylan.kammer@gmail.com>
 ;;; Copyright © 2020, 2021, 2022 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2021, 2022 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Timothy Sample <samplet@ngyro.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -817,7 +817,14 @@ (define-public guile-git
                (base32
                 "11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
               (patches (search-patches
-                        "guile-git-adjust-for-libgit2-1.2.0.patch"))))
+                        "guile-git-adjust-for-libgit2-1.2.0.patch"
+                        ;; These three patches from
+                        ;; <https://gitlab.com/guile-git/guile-git/-/issues/26>
+                        ;; together add procedures to disable/enable owner validation,
+                        ;; which is required for fixing <https://issues.guix.gnu.org/55399>.
+                        "guile-git-fix-git-opt.patch"
+                        "guile-git-set-owner-validation.patch"
+                        "guile-git-test-owner-validation.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:make-flags '("GUILE_AUTO_COMPILE=0")       ; to prevent guild warnings
@@ -833,9 +840,7 @@ (define-public guile-git
     (native-inputs
      (list pkg-config autoconf automake texinfo guile-3.0 guile-bytestructures))
     (inputs
-     ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking Guix.  Use
-     ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternatives.
-     (list guile-3.0 libgit2-1.3))
+     (list guile-3.0 libgit2))
     (propagated-inputs
      (list guile-bytestructures))
     (synopsis "Guile bindings for libgit2")
diff --git a/gnu/packages/patches/guile-git-fix-git-opt.patch b/gnu/packages/patches/guile-git-fix-git-opt.patch
new file mode 100644
index 0000000000..050c72818a
--- /dev/null
+++ b/gnu/packages/patches/guile-git-fix-git-opt.patch
@@ -0,0 +1,57 @@
+From 99054837c6616e06c48c944094114ae8c9b628f3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
+Date: Thu, 19 May 2022 09:35:25 -0300
+To: incoming+guile-git-guile-git-1792500-1ffl9ys3eg9dz7xscimedvf7n-merge-request@incoming.gitlab.com
+Subject: Update GIT_OPT definitions to match upstream enum
+
+* git/settings.scm: Update definitions to match libgit2 v. 1.4.3.
+
+---
+ git/settings.scm | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/git/settings.scm b/git/settings.scm
+index 83e2483..4621f43 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -1,5 +1,6 @@
+ ;;; Guile-Git --- GNU Guile bindings of libgit2
+ ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
++;;; Copyright © 2022 André Batista <nandre@riseup.net>
+ ;;;
+ ;;; This file is part of Guile-Git.
+ ;;;
+@@ -38,8 +39,28 @@
+ (define GIT_OPT_SET_SSL_CERT_LOCATIONS 12)
+ (define GIT_OPT_SET_USER_AGENT 13)
+ (define GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)
+-(define GIT_OPT_SET_SSL_CIPHERS 15)
+-(define GIT_OPT_GET_USER_AGENT 16)
++(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)
++(define GIT_OPT_SET_SSL_CIPHERS 16)
++(define GIT_OPT_GET_USER_AGENT 17)
++(define GIT_OPT_ENABLE_OFS_DELTA 18)
++(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)
++(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)
++(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)
++(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)
++(define GIT_OPT_SET_ALLOCATOR 23)
++(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)
++(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)
++(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)
++(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)
++(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)
++(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)
++(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)
++(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)
++(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)
++(define GIT_OPT_GET_EXTENSIONS 33)
++(define GIT_OPT_SET_EXTENSIONS 34)
++(define GIT_OPT_GET_OWNER_VALIDATION 35)
++(define GIT_OPT_SET_OWNER_VALIDATION 36)
+ 
+ (define set-tls-certificate-locations!
+   (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '* '*))))
+-- 
+2.36.0
+
diff --git a/gnu/packages/patches/guile-git-set-owner-validation.patch b/gnu/packages/patches/guile-git-set-owner-validation.patch
new file mode 100644
index 0000000000..becef644ad
--- /dev/null
+++ b/gnu/packages/patches/guile-git-set-owner-validation.patch
@@ -0,0 +1,41 @@
+From 88091a17f8276b03c95837b422adf5b0b7eda79e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
+Date: Thu, 19 May 2022 09:47:36 -0300
+Subject: [PATCH] settings: Add 'set-owner-validation!'.
+To: guile-git@gitlab.com
+
+* git/settings.scm: (set-owner-validation!): New procedure.
+---
+ git/settings.scm | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/git/settings.scm b/git/settings.scm
+index 4621f43..f6857d5 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -20,7 +20,8 @@
+ (define-module (git settings)
+   #:use-module (system foreign)
+   #:use-module (git bindings)
+-  #:export (set-tls-certificate-locations!
++  #:export (set-owner-validation!
++            set-tls-certificate-locations!
+             set-user-agent!))
+ 
+ ;; 'git_libgit2_opt_t' enum defined in <git2/common.h>.
+@@ -62,6 +63,12 @@
+ (define GIT_OPT_GET_OWNER_VALIDATION 35)
+ (define GIT_OPT_SET_OWNER_VALIDATION 36)
+ 
++(define set-owner-validation!
++  (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int int))))
++    (lambda (owner-validation)
++      "Boolean: enable/disable owner validation checks. See CVE 2022-24765."
++      (proc GIT_OPT_SET_OWNER_VALIDATION (if owner-validation 1 0)))))
++
+ (define set-tls-certificate-locations!
+   (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '* '*))))
+     (lambda* (directory #:optional file)
+-- 
+2.36.0
+
diff --git a/gnu/packages/patches/guile-git-test-owner-validation.patch b/gnu/packages/patches/guile-git-test-owner-validation.patch
new file mode 100644
index 0000000000..3ef2fa3557
--- /dev/null
+++ b/gnu/packages/patches/guile-git-test-owner-validation.patch
@@ -0,0 +1,153 @@
+From 4a2a6d3723afc05b93edfe430c7f95abbe6db021 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
+Date: Tue, 14 Jun 2022 23:00:07 -0300
+Subject: [PATCH] settings: Add 'owner-validation?'.
+To: guile-git@gitlab.com
+
+* git/settings.scm: (owner-validation?): New procedure.
+* tests/settings.scm: Add owner-validation? tests.
+---
+ Makefile.am        |  1 +
+ git/settings.scm   | 13 ++++++++++++-
+ git/types.scm      | 11 +++++++++++
+ tests/settings.scm | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 69 insertions(+), 1 deletion(-)
+ create mode 100644 tests/settings.scm
+
+diff --git a/Makefile.am b/Makefile.am
+index 0f92d4c..033033d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -95,6 +95,7 @@ TESTS =                                         \
+   tests/remote.scm                              \
+   tests/rev-parse.scm                           \
+   tests/status.scm                              \
++  tests/settings.scm                            \
+   tests/submodule.scm                           \
+   tests/tag.scm                                 \
+   tests/tree.scm
+diff --git a/git/settings.scm b/git/settings.scm
+index 5022945..582f519 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -1,6 +1,7 @@
+ ;;; Guile-Git --- GNU Guile bindings of libgit2
+ ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+ ;;; Copyright © 2022 André Batista <nandre@riseup.net>
++;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+ ;;;
+ ;;; This file is part of Guile-Git.
+ ;;;
+@@ -20,7 +21,9 @@
+ (define-module (git settings)
+   #:use-module (system foreign)
+   #:use-module (git bindings)
+-  #:export (set-owner-validation!
++  #:use-module (git types)
++  #:export (owner-validation?
++            set-owner-validation!
+             set-tls-certificate-locations!
+             set-user-agent!))
+ 
+@@ -63,6 +66,14 @@
+ (define GIT_OPT_GET_OWNER_VALIDATION 35)
+ (define GIT_OPT_SET_OWNER_VALIDATION 36)
+ 
++(define owner-validation?
++  (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '*))))
++      (lambda ()
++        "Boolean: Return owner validation setting."
++        (let ((out (make-int-pointer)))
++          (proc GIT_OPT_GET_OWNER_VALIDATION out)
++          (if (equal? (pointer->int out) 0) #f #t)))))
++
+ (define set-owner-validation!
+   (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int int))))
+     (lambda (owner-validation)
+diff --git a/git/types.scm b/git/types.scm
+index 3503ccf..7609a8a 100644
+--- a/git/types.scm
++++ b/git/types.scm
+@@ -46,7 +46,9 @@
+             tree? pointer->tree tree->pointer
+             tree-entry? pointer->tree-entry tree-entry->pointer
+             submodule? pointer->submodule submodule->pointer
++            pointer->int
+             pointer->size_t
++            make-int-pointer
+             make-size_t-pointer
+             make-double-pointer))
+ 
+@@ -102,9 +104,18 @@
+ (define (make-double-pointer)
+   (bytevector->pointer (make-bytevector (sizeof '*))))
+ 
++(define (make-int-pointer)
++  (bytevector->pointer (make-bytevector (sizeof int))))
++
+ (define (make-size_t-pointer)
+   (bytevector->pointer (make-bytevector (sizeof size_t))))
+ 
++(define (pointer->int ptr)
++  (bytevector-sint-ref (pointer->bytevector ptr (sizeof int))
++                       0
++                       (native-endianness)
++                       (sizeof int)))
++
+ (define (pointer->size_t ptr)
+   (bytevector-uint-ref (pointer->bytevector ptr (sizeof size_t))
+                        0
+diff --git a/tests/settings.scm b/tests/settings.scm
+new file mode 100644
+index 0000000..a82c5ca
+--- /dev/null
++++ b/tests/settings.scm
+@@ -0,0 +1,45 @@
++;;; Guile-Git --- GNU Guile bindings of libgit2
++;;; Copyright © 2022 André Batista <nandre@riseup.net>
++;;;
++;;; This file is part of Guile-Git.
++;;;
++;;; Guile-Git is free software; you can redistribute it and/or modify it
++;;; under the terms of the GNU General Public License as published by
++;;; the Free Software Foundation; either version 3 of the License, or
++;;; (at your option) any later version.
++;;;
++;;; Guile-Git is distributed in the hope that it will be useful, but
++;;; WITHOUT ANY WARRANTY; without even the implied warranty of
++;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++;;; General Public License for more details.
++;;;
++;;; You should have received a copy of the GNU General Public License
++;;; along with Guile-Git.  If not, see <http://www.gnu.org/licenses/>.
++
++(define-module (tests settings)
++  #:use-module (srfi srfi-64))
++
++(use-modules (tests helpers))
++(use-modules (git))
++
++(test-begin "settings")
++
++(libgit2-init!)
++
++(with-repository "simple" directory
++
++  (test-equal "disable owner validation"
++    #f
++    ((lambda ()
++      (set-owner-validation! #f)
++      (owner-validation?))))
++
++  (test-equal "enable owner validation"
++    #t
++    ((lambda ()
++      (set-owner-validation! #t)
++      (owner-validation?)))))
++
++(libgit2-shutdown!)
++
++(test-end)
+-- 
+2.36.0
+
-- 
2.37.1

bug#55399: [PATCH 1/2] guix: Disable owner validation.

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 352 bytes --]

Oops, the test I did in the second test is bogus (I didn't test as root).

However, it appears that owner validation is properly disabled:

[inside the pulled guix]

> scheme@(guix-user)> ,m (guix git)
> scheme@(guix git)> (owner-validation?) --> #true
> scheme@(guix git)> (with-libgit2 (owner-validation?)) --> #false
Greetings,
Maxime.


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]