Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-GitPython for
openSUSE:Factory checked in at 2023-09-07 21:12:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-GitPython (Old)
and /work/SRC/openSUSE:Factory/.python-GitPython.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-GitPython"
Thu Sep 7 21:12:11 2023 rev:29 rq:1109413 version:3.1.34.1693646983.2a2ae77
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-GitPython/python-GitPython.changes
2023-08-22 08:55:13.686454115 +0200
+++
/work/SRC/openSUSE:Factory/.python-GitPython.new.1766/python-GitPython.changes
2023-09-07 21:12:22.648525568 +0200
@@ -1,0 +2,68 @@
+Tue Sep 5 08:30:24 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com>
+
+- Add CVE-2023-41040.patch to fix directory traversal attack
+ vulnerability gh#gitpython-developers/GitPython#1644
+ bsc#1214810
+
+-------------------------------------------------------------------
+Tue Sep 05 06:34:12 UTC 2023 - daniel.gar...@suse.com
+
+- Update _service to use manualrun, disabledrun is deprecated now.
+- Update to version 3.1.34.1693646983.2a2ae77:
+ * prepare patch release
+ * util: close lockfile after opening successfully
+ * update instructions for how to create a release
+ * prepare for next release
+ * Skip now permanently failing test with note on how to fix it
+ * Don't check form of version number
+ * Add a unit test for CVE-2023-40590
+ * Fix CVE-2023-40590
+ * feat: full typing for "progress" parameter
+ * Creating a lock now uses python built-in "open()" method to work around
docker virtiofs issue
+ * Disable merge_includes in config writers
+ * Apply straight-forward typing fixes
+ * Add missing type annotation
+ * Run black and exclude submodule
+ * Allow explicit casting even when slightly redundant
+ * Ignore remaining [unreachable] type errors
+ * Define supported version for mypy
+ * Do not typecheck submodule
+ * typo
+ * added more resources section
+ * generic hash
+ * redundant code cell
+ * redundant line
+ * fixed tabbing
+ * tabbed all code-blocks
+ * added new section for diffs and formatting
+ * formatting wip
+ * change to formatting - removed = bash cmds
+ * Added new section to print prev file
+ * WIP major changes to structure to improve readability
+ * Removed all reference to source code
+ * Updated generic sha hash
+ * Added warning about index add
+ * Made trees and blobs the first section
+ * refactored print git tree
+ * clarified comment
+ * draft of description
+ * replaced hash with generic
+ * replaced output cell to generic commit ID
+ * removed unnecessary variables
+ * convert from --all flag to all=True
+ * correct way to get the latest commit tree
+ * removed try/except and updated sample url
+ * Updated the sample repo URL
+ * Made variable names more intuitive
+ * try to fix CI by making it deal with tags forcefully.
+ * Removed code from RST
+ * added quickstart to toctree to fix sphinx warning
+ * added quickstart to toctree and fixed sphinx warning
+ * fixed some indentation
+ * finished code for quickstart
+ * finished code for quickstart
+ * Finishing touches for Repo quickstart
+ * Added git clone & git add
+ * Made the init repo section of quickdoc
+
+-------------------------------------------------------------------
Old:
----
GitPython-3.1.32.1689011721.5d45ce2.tar.xz
New:
----
CVE-2023-41040.patch
GitPython-3.1.34.1693646983.2a2ae77.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-GitPython.spec ++++++
--- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:23.944571899 +0200
+++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:23.944571899 +0200
@@ -17,10 +17,10 @@
%define skip_python2 1
-%define simple_ver 3.1.32
+%define simple_ver 3.1.34
%{?sle15_python_module_pythons}
Name: python-GitPython
-Version: 3.1.32.1689011721.5d45ce2
+Version: 3.1.34.1693646983.2a2ae77
Release: 0
Summary: Python Git Library
License: BSD-3-Clause
@@ -28,6 +28,8 @@
Source: GitPython-%{version}.tar.xz
Patch0: test-skips.patch
Patch1: test_blocking_lock_file-extra-time.patch
+# PATCH-FIX-UPSTREAM CVE-2023-41040.patch
gh#gitpython-developers/GitPython#1644
+Patch2: CVE-2023-41040.patch
BuildRequires: %{python_module ddt >= 1.1.1}
BuildRequires: %{python_module gitdb >= 4.0.1}
BuildRequires: %{python_module pip}
++++++ CVE-2023-41040.patch ++++++
diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
index 33c3bf15b..5c293aa7b 100644
--- a/git/refs/symbolic.py
+++ b/git/refs/symbolic.py
@@ -168,6 +168,8 @@ def _get_ref_info_helper(
"""Return: (str(sha), str(target_ref_path)) if available, the sha the
file at
rela_path points to, or None. target_ref_path is the reference we
point to, or None"""
+ if ".." in str(ref_path):
+ raise ValueError(f"Invalid reference '{ref_path}'")
tokens: Union[None, List[str], Tuple[str, str]] = None
repodir = _git_dir(repo, ref_path)
try:
diff --git a/test/test_refs.py b/test/test_refs.py
index 4c421767e..e7526c3b2 100644
--- a/test/test_refs.py
+++ b/test/test_refs.py
@@ -5,6 +5,7 @@
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
from itertools import chain
+from pathlib import Path
from git import (
Reference,
@@ -20,9 +21,11 @@
from git.objects.tag import TagObject
from test.lib import TestBase, with_rw_repo
from git.util import Actor
+from gitdb.exc import BadName
import git.refs as refs
import os.path as osp
+import tempfile
class TestRefs(TestBase):
@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
def test_reflog(self):
assert isinstance(self.rorepo.heads.master.log(), RefLog)
+
+ def test_refs_outside_repo(self):
+ # Create a file containing a valid reference outside the repository.
Attempting
+ # to access it should raise an exception, due to it containing a
parent directory
+ # reference ('..'). This tests for CVE-2023-41040.
+ git_dir = Path(self.rorepo.git_dir)
+ repo_parent_dir = git_dir.parent.parent
+ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
+ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
+ ref_file.flush()
+ ref_file_name = Path(ref_file.name).name
+ self.assertRaises(BadName, self.rorepo.commit,
f"../../{ref_file_name}")
++++++ GitPython-3.1.32.1689011721.5d45ce2.tar.xz ->
GitPython-3.1.34.1693646983.2a2ae77.tar.xz ++++++
++++ 1937 lines of diff (skipped)
++++++ _service ++++++
--- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.708599211 +0200
+++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.708599211 +0200
@@ -1,17 +1,17 @@
<services>
- <service name="tar_scm" mode="disabled">
- <param name="versionprefix">3.1.32</param>
+ <service name="tar_scm" mode="manual">
+ <param name="versionprefix">3.1.34</param>
<param name="url">https://github.com/gitpython-developers/GitPython</param>
<param name="scm">git</param>
<param name="package-meta">yes</param>
<param name="changesgenerate">enable</param>
<param name="submodules">enable</param>
- <param name="revision">3.1.32</param>
+ <param name="revision">3.1.34</param>
</service>
- <service name="recompress" mode="disabled">
+ <service name="recompress" mode="manual">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
- <service name="set_version" mode="disabled"/>
+ <service name="set_version" mode="manual"/>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.728599926 +0200
+++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.732600069 +0200
@@ -3,6 +3,6 @@
<param
name="url">git://github.com/gitpython-developers/GitPython</param>
<param
name="changesrevision">f653af66e4c9461579ec44db50e113facf61e2d3</param></service><service
name="tar_scm">
<param
name="url">https://github.com/gitpython-developers/GitPython</param>
- <param
name="changesrevision">5d45ce243a12669724e969442e6725a894e30fd4</param></service></servicedata>
+ <param
name="changesrevision">2a2ae776825f249a3bb7efd9b08650486226b027</param></service></servicedata>
(No newline at EOF)
++++++ test-skips.patch ++++++
--- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.744600498 +0200
+++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.744600498 +0200
@@ -5,8 +5,10 @@
test/test_submodule.py | 19 +++++++++++--------
4 files changed, 18 insertions(+), 10 deletions(-)
---- a/test/test_base.py
-+++ b/test/test_base.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_base.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
@@ -109,7 +109,8 @@ class TestBase(_TestBase):
assert osp.isdir(osp.join(rw_repo.working_tree_dir, "lib"))
assert osp.isdir(rw_repo.working_dir)
@@ -17,8 +19,10 @@
@with_rw_and_rw_remote_repo("0.1.6")
def test_with_rw_remote_and_rw_repo(self, rw_repo, rw_remote_repo):
assert not rw_repo.config_reader("repository").getboolean("core",
"bare")
---- a/test/test_remote.py
-+++ b/test/test_remote.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_remote.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
@@ -4,6 +4,7 @@
# This module is part of GitPython and is released under
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
@@ -45,18 +49,22 @@
def test_fetch_error(self):
rem = self.rorepo.remote("origin")
with self.assertRaisesRegex(GitCommandError, "[Cc]ouldn't find remote
ref __BAD_REF__"):
---- a/test/test_repo.py
-+++ b/test/test_repo.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_repo.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
@@ -250,6 +250,7 @@ class TestRepo(TestBase):
except UnicodeEncodeError:
self.fail("Raised UnicodeEncodeError")
+ @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'Gitlab
connection error')
@with_rw_directory
+ @skip("the referenced repository was removed, and one needs to setup a
new password controlled repo under the orgs control")
def test_leaking_password_in_clone_logs(self, rw_dir):
- password = "fakepassword1234"
---- a/test/test_submodule.py
-+++ b/test/test_submodule.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_submodule.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
@@ -453,14 +453,15 @@ class TestSubmodule(TestBase):
reason="Cygwin GitPython can't find submodule SHA",
raises=ValueError
++++++ test_blocking_lock_file-extra-time.patch ++++++
--- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.756600927 +0200
+++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.760601070 +0200
@@ -2,8 +2,10 @@
test/test_util.py | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
---- a/test/test_util.py
-+++ b/test/test_util.py
+Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
+===================================================================
+--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_util.py
++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
@@ -173,9 +173,7 @@ class TestUtils(TestBase):
self.assertRaises(IOError, wait_lock._obtain_lock)
elapsed = time.time() - start
