diff mbox series

[bug#55001] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

Message ID 8635iabj7y.fsf@163.com
State Accepted
Headers show
Series [bug#55001] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765]. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

Zhu Zihao April 18, 2022, 1:42 p.m. UTC

Comments

Greg Hogan April 18, 2022, 3:53 p.m. UTC | #1 
Hi Zihao,

Is this not a Windows-only vulnerability and bugfix release (also
CVE-2022-24767)?

Greg

On Mon, Apr 18, 2022 at 9:44 AM Zhu Zihao <all_but_last@163.com> wrote:

>
> --
> Retrieve my PGP public key:
>
>   gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>
Zhu Zihao April 18, 2022, 4:02 p.m. UTC | #2 
Greg Hogan <code@greghogan.com> writes:

> Hi Zihao,
>
> Is this not a Windows-only vulnerability and bugfix release (also CVE-2022-24767)?
>
> Greg
>
> On Mon, Apr 18, 2022 at 9:44 AM Zhu Zihao <all_but_last@163.com> wrote:
>
>  -- 
>  Retrieve my PGP public key:
>
>    gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
>  Zihao

Hi.

https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765

This article says "likely due to only affect Microsoft Windows". I
haven't test this CVE on *nix systems.

If it doesn't affect Guix systems, should I remove "[fixes
CVE-2022-24765]" in the git commit message or leave it there?
M April 18, 2022, 6:03 p.m. UTC | #3 
Zhu Zihao schreef op di 19-04-2022 om 00:02 [+0800]:
> 
> Hi.
> 
> https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765
> 
> This article says "likely due to only affect Microsoft Windows". I
> haven't test this CVE on *nix systems.
> 
> If it doesn't affect Guix systems, should I remove "[fixes
> CVE-2022-24765]" in the git commit message or leave it there?

According to <https://lwn.net/Articles/891112/#Comments> and its
comments, it affects ‘multi-user (*) Linux (**) systems’ as well, if
someone has their git repo inside /tmp.  (Does anyone actually do
that?)

(*) I would think this includes otherwise single-user systems with a
compromised daemon as well?  
(**) Presumably also GNU/Hurd and the BSDs.

Greetings,
Maxime.
diff mbox series

Patch

From c1ced93b4acc56f9a33d10ebed8b1cefc7dc1b9d Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765

* gnu/packages/version-control.scm (git): Update to 2.35.2.
---
 gnu/packages/version-control.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..9902483d76 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@  (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.35.1")
+   (version "2.35.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+              "1wq0wrdg81b324y17fr4jaw5zk2i4fah0f99rhndpsywlm7hqgf7"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -248,7 +248,7 @@  (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+            "1s3fbnl2slwd3b5j2281z8jwypsqydd1n7yg90v7vb369njvmsd0"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook-xsl" ,docbook-xsl)
-- 
2.35.1