GNU bug report logs - #63092
[PATCH] gnu: git: Update to 2.40.1 [security fixes].

Previous Next

Package: guix-patches;

Reported by: Greg Hogan <code <at> greghogan.com>

Date: Wed, 26 Apr 2023 16:42:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 63092 in the body.
You can then email your comments to 63092 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 16:42:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Greg Hogan <code <at> greghogan.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Wed, 26 Apr 2023 16:42:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: guix-patches <at> gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH] gnu: git: Update to 2.40.1 [security fixes].
Date: Wed, 26 Apr 2023 16:40:50 +0000

Fixes CVE-2023-25652 and CVE-2023-29007.

* gnu/packages/version-control.scm (git): Update to 2.40.1.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c2ec490383..5f6766f510 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -227,14 +227,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.39.2")
+   (version "2.40.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
+              "1li1xwgiwccy88bkshsah2kzl1006jg29jp7n32gvjggiswvi4s8"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -254,7 +254,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
+            "04yy5za8963q6xzrirflvxbi1216jzqj8ssvgd9nkld3ifa9q1gy"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook2x" ,docbook2x)
-- 
2.40.0
Information forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 17:28:01 GMT) Full text and rfc822 format available.

Message #8 received at 63092 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: 63092 <at> debbugs.gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH v2 0/2] Update git [security fixes].
Date: Wed, 26 Apr 2023 17:27:21 +0000

v2 adds a fix for git-minimal.

Greg Hogan (2):
  gnu: git: Update to 2.40.1 [security fixes].
  gnu: git-minimal: Remove deletion of removed file.

 gnu/packages/version-control.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

-- 
2.40.0
Information forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 17:28:02 GMT) Full text and rfc822 format available.

Message #11 received at 63092 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: 63092 <at> debbugs.gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH v2 2/2] gnu: git-minimal: Remove deletion of removed file.
Date: Wed, 26 Apr 2023 17:27:23 +0000

* gnu/packages/version-control.scm (git-minimal)
[arguments]<#:phases>(remove-unusable-perl-commands): Remove
from deletion list the file deleted from upstream.
---
 gnu/packages/version-control.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 5f6766f510..3f1f8d4ec2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -638,7 +638,7 @@ (define-public git-minimal
                                                          "/git-core/" file)))
                            '("git-svn" "git-cvsimport" "git-archimport"
                              "git-cvsserver" "git-request-pull"
-                             "git-add--interactive" "git-cvsexportcommit"
+                             "git-cvsexportcommit"
                              "git-instaweb" "git-send-email"))
                  (delete-file (string-append bin "/git-cvsserver"))
 
-- 
2.40.0
Information forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 17:28:02 GMT) Full text and rfc822 format available.

Message #14 received at 63092 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: 63092 <at> debbugs.gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH v2 1/2] gnu: git: Update to 2.40.1 [security fixes].
Date: Wed, 26 Apr 2023 17:27:22 +0000

Fixes CVE-2023-25652 and CVE-2023-29007.

* gnu/packages/version-control.scm (git): Update to 2.40.1.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c2ec490383..5f6766f510 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -227,14 +227,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.39.2")
+   (version "2.40.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
+              "1li1xwgiwccy88bkshsah2kzl1006jg29jp7n32gvjggiswvi4s8"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -254,7 +254,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
+            "04yy5za8963q6xzrirflvxbi1216jzqj8ssvgd9nkld3ifa9q1gy"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook2x" ,docbook2x)
-- 
2.40.0
Information forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 19:04:01 GMT) Full text and rfc822 format available.

Message #17 received at 63092 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: 63092 <at> debbugs.gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH v3 0/2] Update git [security fixes].
Date: Wed, 26 Apr 2023 19:03:44 +0000

v3 modifies the changes to git-minimal so that the older, pinned version
of git-minimal continues to pass the post-build check.

Greg Hogan (2):
  gnu: git: Update to 2.40.1 [security fixes].
  gnu: git-minimal: Check files exist before delete.

 gnu/packages/version-control.scm | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

-- 
2.40.0
Information forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 19:04:02 GMT) Full text and rfc822 format available.

Message #20 received at 63092 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: 63092 <at> debbugs.gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH v3 2/2] gnu: git-minimal: Check files exist before delete.
Date: Wed, 26 Apr 2023 19:03:46 +0000

* gnu/packages/version-control.scm (git-minimal)
[arguments]<#:phases>(remove-unusable-perl-commands): Add file check
before deleting perl scripts so that this phase works for both new and
old, pinned versions.
---
 gnu/packages/version-control.scm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 5f6766f510..0467e9f4cb 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -634,8 +634,11 @@ (define-public git-minimal
                       (bin     (string-append out "/bin"))
                       (libexec (string-append out "/libexec")))
                  (for-each (lambda (file)
-                             (delete-file (string-append libexec
-                                                         "/git-core/" file)))
+                             (if (file-exists? file)
+                               (delete-file (string-append libexec
+                                                           "/git-core/" file))))
+                           ;; git-add--interactive was removed in Git 2.40 but
+                           ;; this phase is inherited by older versions.
                            '("git-svn" "git-cvsimport" "git-archimport"
                              "git-cvsserver" "git-request-pull"
                              "git-add--interactive" "git-cvsexportcommit"
-- 
2.40.0
Information forwarded to guix-patches <at> gnu.org:
bug#63092; Package guix-patches. (Wed, 26 Apr 2023 19:04:02 GMT) Full text and rfc822 format available.

Message #23 received at 63092 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: 63092 <at> debbugs.gnu.org
Cc: Greg Hogan <code <at> greghogan.com>
Subject: [PATCH v3 1/2] gnu: git: Update to 2.40.1 [security fixes].
Date: Wed, 26 Apr 2023 19:03:45 +0000

Fixes CVE-2023-25652 and CVE-2023-29007.

* gnu/packages/version-control.scm (git): Update to 2.40.1.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c2ec490383..5f6766f510 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -227,14 +227,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.39.2")
+   (version "2.40.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
+              "1li1xwgiwccy88bkshsah2kzl1006jg29jp7n32gvjggiswvi4s8"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -254,7 +254,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
+            "04yy5za8963q6xzrirflvxbi1216jzqj8ssvgd9nkld3ifa9q1gy"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook2x" ,docbook2x)
-- 
2.40.0
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Thu, 11 May 2023 13:16:02 GMT) Full text and rfc822 format available.
Notification sent to Greg Hogan <code <at> greghogan.com>:
bug acknowledged by developer. (Thu, 11 May 2023 13:16:02 GMT) Full text and rfc822 format available.

Message #28 received at 63092-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Greg Hogan <code <at> greghogan.com>
Cc: 63092-done <at> debbugs.gnu.org
Subject: Re: bug#63092: [PATCH] gnu: git: Update to 2.40.1 [security fixes].
Date: Thu, 11 May 2023 15:15:40 +0200

Hi Greg,

Greg Hogan <code <at> greghogan.com> skribis:

> * gnu/packages/version-control.scm (git-minimal)
> [arguments]<#:phases>(remove-unusable-perl-commands): Add file check
> before deleting perl scripts so that this phase works for both new and
> old, pinned versions.

[...]

> +                             (if (file-exists? file)
> +                               (delete-file (string-append libexec
> +                                                           "/git-core/" file))))
> +                           ;; git-add--interactive was removed in Git 2.40 but
> +                           ;; this phase is inherited by older versions.

The ‘file-exists?’ and ‘delete-file’ calls are passed different file
names.  Also, this won’t prevent a rebuild of ‘git-minimal/pinned’.

So I went with a different approach to achieve that goal.  Applied now.

Thanks!

Ludo’.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 09 Jun 2023 11:24:13 GMT) Full text and rfc822 format available.
This bug report was last modified 321 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.