Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-GitPython for openSUSE:Factory checked in at 2023-09-07 21:12:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-GitPython (Old) and /work/SRC/openSUSE:Factory/.python-GitPython.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-GitPython" Thu Sep 7 21:12:11 2023 rev:29 rq:1109413 version:3.1.34.1693646983.2a2ae77 Changes: -------- --- /work/SRC/openSUSE:Factory/python-GitPython/python-GitPython.changes 2023-08-22 08:55:13.686454115 +0200 +++ /work/SRC/openSUSE:Factory/.python-GitPython.new.1766/python-GitPython.changes 2023-09-07 21:12:22.648525568 +0200 @@ -1,0 +2,68 @@ +Tue Sep 5 08:30:24 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com> + +- Add CVE-2023-41040.patch to fix directory traversal attack + vulnerability gh#gitpython-developers/GitPython#1644 + bsc#1214810 + +------------------------------------------------------------------- +Tue Sep 05 06:34:12 UTC 2023 - daniel.gar...@suse.com + +- Update _service to use manualrun, disabledrun is deprecated now. +- Update to version 3.1.34.1693646983.2a2ae77: + * prepare patch release + * util: close lockfile after opening successfully + * update instructions for how to create a release + * prepare for next release + * Skip now permanently failing test with note on how to fix it + * Don't check form of version number + * Add a unit test for CVE-2023-40590 + * Fix CVE-2023-40590 + * feat: full typing for "progress" parameter + * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue + * Disable merge_includes in config writers + * Apply straight-forward typing fixes + * Add missing type annotation + * Run black and exclude submodule + * Allow explicit casting even when slightly redundant + * Ignore remaining [unreachable] type errors + * Define supported version for mypy + * Do not typecheck submodule + * typo + * added more resources section + * generic hash + * redundant code cell + * redundant line + * fixed tabbing + * tabbed all code-blocks + * added new section for diffs and formatting + * formatting wip + * change to formatting - removed = bash cmds + * Added new section to print prev file + * WIP major changes to structure to improve readability + * Removed all reference to source code + * Updated generic sha hash + * Added warning about index add + * Made trees and blobs the first section + * refactored print git tree + * clarified comment + * draft of description + * replaced hash with generic + * replaced output cell to generic commit ID + * removed unnecessary variables + * convert from --all flag to all=True + * correct way to get the latest commit tree + * removed try/except and updated sample url + * Updated the sample repo URL + * Made variable names more intuitive + * try to fix CI by making it deal with tags forcefully. + * Removed code from RST + * added quickstart to toctree to fix sphinx warning + * added quickstart to toctree and fixed sphinx warning + * fixed some indentation + * finished code for quickstart + * finished code for quickstart + * Finishing touches for Repo quickstart + * Added git clone & git add + * Made the init repo section of quickdoc + +------------------------------------------------------------------- Old: ---- GitPython-3.1.32.1689011721.5d45ce2.tar.xz New: ---- CVE-2023-41040.patch GitPython-3.1.34.1693646983.2a2ae77.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-GitPython.spec ++++++ --- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:23.944571899 +0200 +++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:23.944571899 +0200 @@ -17,10 +17,10 @@ %define skip_python2 1 -%define simple_ver 3.1.32 +%define simple_ver 3.1.34 %{?sle15_python_module_pythons} Name: python-GitPython -Version: 3.1.32.1689011721.5d45ce2 +Version: 3.1.34.1693646983.2a2ae77 Release: 0 Summary: Python Git Library License: BSD-3-Clause @@ -28,6 +28,8 @@ Source: GitPython-%{version}.tar.xz Patch0: test-skips.patch Patch1: test_blocking_lock_file-extra-time.patch +# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644 +Patch2: CVE-2023-41040.patch BuildRequires: %{python_module ddt >= 1.1.1} BuildRequires: %{python_module gitdb >= 4.0.1} BuildRequires: %{python_module pip} ++++++ CVE-2023-41040.patch ++++++ diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py index 33c3bf15b..5c293aa7b 100644 --- a/git/refs/symbolic.py +++ b/git/refs/symbolic.py @@ -168,6 +168,8 @@ def _get_ref_info_helper( """Return: (str(sha), str(target_ref_path)) if available, the sha the file at rela_path points to, or None. target_ref_path is the reference we point to, or None""" + if ".." in str(ref_path): + raise ValueError(f"Invalid reference '{ref_path}'") tokens: Union[None, List[str], Tuple[str, str]] = None repodir = _git_dir(repo, ref_path) try: diff --git a/test/test_refs.py b/test/test_refs.py index 4c421767e..e7526c3b2 100644 --- a/test/test_refs.py +++ b/test/test_refs.py @@ -5,6 +5,7 @@ # the BSD License: http://www.opensource.org/licenses/bsd-license.php from itertools import chain +from pathlib import Path from git import ( Reference, @@ -20,9 +21,11 @@ from git.objects.tag import TagObject from test.lib import TestBase, with_rw_repo from git.util import Actor +from gitdb.exc import BadName import git.refs as refs import os.path as osp +import tempfile class TestRefs(TestBase): @@ -616,3 +619,15 @@ def test_dereference_recursive(self): def test_reflog(self): assert isinstance(self.rorepo.heads.master.log(), RefLog) + + def test_refs_outside_repo(self): + # Create a file containing a valid reference outside the repository. Attempting + # to access it should raise an exception, due to it containing a parent directory + # reference ('..'). This tests for CVE-2023-41040. + git_dir = Path(self.rorepo.git_dir) + repo_parent_dir = git_dir.parent.parent + with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file: + ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe") + ref_file.flush() + ref_file_name = Path(ref_file.name).name + self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}") ++++++ GitPython-3.1.32.1689011721.5d45ce2.tar.xz -> GitPython-3.1.34.1693646983.2a2ae77.tar.xz ++++++ ++++ 1937 lines of diff (skipped) ++++++ _service ++++++ --- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.708599211 +0200 +++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.708599211 +0200 @@ -1,17 +1,17 @@ <services> - <service name="tar_scm" mode="disabled"> - <param name="versionprefix">3.1.32</param> + <service name="tar_scm" mode="manual"> + <param name="versionprefix">3.1.34</param> <param name="url">https://github.com/gitpython-developers/GitPython</param> <param name="scm">git</param> <param name="package-meta">yes</param> <param name="changesgenerate">enable</param> <param name="submodules">enable</param> - <param name="revision">3.1.32</param> + <param name="revision">3.1.34</param> </service> - <service name="recompress" mode="disabled"> + <service name="recompress" mode="manual"> <param name="compression">xz</param> <param name="file">*.tar</param> </service> - <service name="set_version" mode="disabled"/> + <service name="set_version" mode="manual"/> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.728599926 +0200 +++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.732600069 +0200 @@ -3,6 +3,6 @@ <param name="url">git://github.com/gitpython-developers/GitPython</param> <param name="changesrevision">f653af66e4c9461579ec44db50e113facf61e2d3</param></service><service name="tar_scm"> <param name="url">https://github.com/gitpython-developers/GitPython</param> - <param name="changesrevision">5d45ce243a12669724e969442e6725a894e30fd4</param></service></servicedata> + <param name="changesrevision">2a2ae776825f249a3bb7efd9b08650486226b027</param></service></servicedata> (No newline at EOF) ++++++ test-skips.patch ++++++ --- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.744600498 +0200 +++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.744600498 +0200 @@ -5,8 +5,10 @@ test/test_submodule.py | 19 +++++++++++-------- 4 files changed, 18 insertions(+), 10 deletions(-) ---- a/test/test_base.py -+++ b/test/test_base.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_base.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py @@ -109,7 +109,8 @@ class TestBase(_TestBase): assert osp.isdir(osp.join(rw_repo.working_tree_dir, "lib")) assert osp.isdir(rw_repo.working_dir) @@ -17,8 +19,10 @@ @with_rw_and_rw_remote_repo("0.1.6") def test_with_rw_remote_and_rw_repo(self, rw_repo, rw_remote_repo): assert not rw_repo.config_reader("repository").getboolean("core", "bare") ---- a/test/test_remote.py -+++ b/test/test_remote.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_remote.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py @@ -4,6 +4,7 @@ # This module is part of GitPython and is released under # the BSD License: http://www.opensource.org/licenses/bsd-license.php @@ -45,18 +49,22 @@ def test_fetch_error(self): rem = self.rorepo.remote("origin") with self.assertRaisesRegex(GitCommandError, "[Cc]ouldn't find remote ref __BAD_REF__"): ---- a/test/test_repo.py -+++ b/test/test_repo.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_repo.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py @@ -250,6 +250,7 @@ class TestRepo(TestBase): except UnicodeEncodeError: self.fail("Raised UnicodeEncodeError") + @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'Gitlab connection error') @with_rw_directory + @skip("the referenced repository was removed, and one needs to setup a new password controlled repo under the orgs control") def test_leaking_password_in_clone_logs(self, rw_dir): - password = "fakepassword1234" ---- a/test/test_submodule.py -+++ b/test/test_submodule.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_submodule.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py @@ -453,14 +453,15 @@ class TestSubmodule(TestBase): reason="Cygwin GitPython can't find submodule SHA", raises=ValueError ++++++ test_blocking_lock_file-extra-time.patch ++++++ --- /var/tmp/diff_new_pack.PkidlH/_old 2023-09-07 21:12:24.756600927 +0200 +++ /var/tmp/diff_new_pack.PkidlH/_new 2023-09-07 21:12:24.760601070 +0200 @@ -2,8 +2,10 @@ test/test_util.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) ---- a/test/test_util.py -+++ b/test/test_util.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_util.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py @@ -173,9 +173,7 @@ class TestUtils(TestBase): self.assertRaises(IOError, wait_lock._obtain_lock) elapsed = time.time() - start