[bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

[bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

[Zhu Zihao]

[-- Attachment #1.1: Type: text/plain, Size: 0 bytes --]



[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-git-Update-to-2.35.2-fixes-CVE-2022-24765.patch --]
[-- Type: text/x-patch, Size: 1620 bytes --]

From c1ced93b4acc56f9a33d10ebed8b1cefc7dc1b9d Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765

* gnu/packages/version-control.scm (git): Update to 2.35.2.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..9902483d76 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.35.1")
+   (version "2.35.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+              "1wq0wrdg81b324y17fr4jaw5zk2i4fah0f99rhndpsywlm7hqgf7"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -248,7 +248,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+            "1s3fbnl2slwd3b5j2281z8jwypsqydd1n7yg90v7vb369njvmsd0"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook-xsl" ,docbook-xsl)
-- 
2.35.1


[-- Attachment #3: Type: text/plain, Size: 100 bytes --]


-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao

[bug#55001] Acknowledgement ([PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].)

[Zhu Zihao]

[-- Attachment #1.1: Type: text/plain, Size: 28 bytes --]


Update to 2.35.3 instead.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-git-Update-to-2.35.3-fixes-CVE-2022-24765.patch --]
[-- Type: text/x-patch, Size: 1620 bytes --]

From ecae314a30e43a4d706b68dc3345a2b32303e8fe Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.35.3 [fixes CVE-2022-24765].

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765

* gnu/packages/version-control.scm (git): Update to 2.35.3.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..1fbfe0b9bd 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.35.1")
+   (version "2.35.3")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+              "18hgw3g4vc78nk6lic2sbw0h22bwbh6a0qnb63zrzvgjkd7xps8m"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -248,7 +248,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+            "0973y7g356fjyrqxgvac04g3qhf6fbs3lzpizl1skkri0zh7x357"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook-xsl" ,docbook-xsl)
-- 
2.35.1


[-- Attachment #3: Type: text/plain, Size: 100 bytes --]


-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao

[bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

[Greg Hogan]

[-- Attachment #1: Type: text/plain, Size: 286 bytes --]

Hi Zihao,

Is this not a Windows-only vulnerability and bugfix release (also
CVE-2022-24767)?

Greg

On Mon, Apr 18, 2022 at 9:44 AM Zhu Zihao <all_but_last@163.com> wrote:

>
> --
> Retrieve my PGP public key:
>
>   gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>

[-- Attachment #2: Type: text/html, Size: 638 bytes --]

[bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

[Zhu Zihao]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]


Greg Hogan <code@greghogan.com> writes:

> Hi Zihao,
>
> Is this not a Windows-only vulnerability and bugfix release (also CVE-2022-24767)?
>
> Greg
>
> On Mon, Apr 18, 2022 at 9:44 AM Zhu Zihao <all_but_last@163.com> wrote:
>
>  -- 
>  Retrieve my PGP public key:
>
>    gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
>  Zihao

Hi.

https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765

This article says "likely due to only affect Microsoft Windows". I
haven't test this CVE on *nix systems.

If it doesn't affect Guix systems, should I remove "[fixes
CVE-2022-24765]" in the git commit message or leave it there?

-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

[bug#55001] Acknowledgement ([PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].)

[Greg Hogan]

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

And now git 2.36 has been released.

On Mon, Apr 18, 2022 at 10:25 AM Zhu Zihao <all_but_last@163.com> wrote:

>
> Update to 2.35.3 instead.
>
>
> --
> Retrieve my PGP public key:
>
>   gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>

[-- Attachment #2: Type: text/html, Size: 570 bytes --]

[bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

Zhu Zihao schreef op di 19-04-2022 om 00:02 [+0800]:
> 
> Hi.
> 
> https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765
> 
> This article says "likely due to only affect Microsoft Windows". I
> haven't test this CVE on *nix systems.
> 
> If it doesn't affect Guix systems, should I remove "[fixes
> CVE-2022-24765]" in the git commit message or leave it there?

According to <https://lwn.net/Articles/891112/#Comments> and its
comments, it affects ‘multi-user (*) Linux (**) systems’ as well, if
someone has their git repo inside /tmp.  (Does anyone actually do
that?)

(*) I would think this includes otherwise single-user systems with a
compromised daemon as well?  
(**) Presumably also GNU/Hurd and the BSDs.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

[bug#55001] gnu: git: Update to 2.36.0 [fixes CVE-2022-24765] Was: Acknowledgement ([PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].)

[Zhu Zihao]

[-- Attachment #1.1: Type: text/plain, Size: 155 bytes --]


Greg Hogan <code@greghogan.com> writes:

> And now git 2.36 has been released.

A new patch that updates to 2.36 is uploaded. Thanks for your mention :)


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-git-Update-to-2.36.0-fixes-CVE-2022-24765.patch --]
[-- Type: text/x-patch, Size: 1620 bytes --]

From bad9eea70d56ec9ace36f7f62c5ea7c8f3e399a3 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.36.0 [fixes CVE-2022-24765].

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765

* gnu/packages/version-control.scm (git): Update to 2.36.0.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..ff9c6f7c14 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.35.1")
+   (version "2.36.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+              "1ly13j37h1y8bgcj3h0cl43vcpwk9j4gsasssk8gar44cp0vypmg"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -248,7 +248,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+            "0p6vc6nyaibx2lxirjj2nm5spk5q6svz8l3w0pqnaa3i7l7c6qy0"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook-xsl" ,docbook-xsl)
-- 
2.35.1


[-- Attachment #3: Type: text/plain, Size: 100 bytes --]


-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao

[bug#55001] gnu: git: Update to 2.36.0 [fixes CVE-2022-24765] Was: Acknowledgement ([PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].)

[Greg Hogan]

[-- Attachment #1: Type: text/plain, Size: 555 bytes --]

This update built successfully for me, and also all dependent packages with
'git' in the name:
./pre-inst-env guix refresh -l git | cut -d: -f2- | tr ' ' '\n' | grep git |
xargs ./pre-inst-env guix build

On Tue, Apr 19, 2022 at 5:21 AM Zhu Zihao <all_but_last@163.com> wrote:

>
> Greg Hogan <code@greghogan.com> writes:
>
> > And now git 2.36 has been released.
>
> A new patch that updates to 2.36 is uploaded. Thanks for your mention :)
>
>
> --
> Retrieve my PGP public key:
>
>   gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>

[-- Attachment #2: Type: text/html, Size: 1088 bytes --]

[bug#55001] gnu: git: Update to 2.36.0 [fixes CVE-2022-24765] Was: Acknowledgement ([PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].)

[Zhu Zihao]

[-- Attachment #1: Type: text/plain, Size: 127 bytes --]


Ping for response.
-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

bug#55001: [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

[Mathieu Othacehe]

Hello,

Pushed as 4fb6ef6636acd7608889639c1b2e492517256f76.

Thanks,

Mathieu