From fb008e17dd9250267ec12743677a683d8598edb1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:21:55 +0000 Subject: import git-1.8.3.1-13.el7 --- diff --git a/SOURCES/0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch b/SOURCES/0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch new file mode 100644 index 0000000..9c011e2 --- /dev/null +++ b/SOURCES/0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch @@ -0,0 +1,47 @@ +From d6c38a748291246ebe2f7a9e966db24f4b4f839c Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 13 Sep 2017 03:09:59 +0200 +Subject: [PATCH] remote-curl: fall back to Basic auth if Negotiate fails + +See the upstream commit 4dbe66464 +--- + http.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/http.c b/http.c +index e7c77c0..3320590 100644 +--- a/http.c ++++ b/http.c +@@ -60,6 +60,9 @@ static const char *user_agent; + + static struct credential cert_auth = CREDENTIAL_INIT; + static int ssl_cert_password_required; ++#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY ++static unsigned long http_auth_methods = CURLAUTH_ANY; ++#endif + + static struct curl_slist *pragma_header; + static struct curl_slist *no_pragma_header; +@@ -572,6 +575,9 @@ struct active_request_slot *get_active_slot(void) + curl_easy_setopt(slot->curl, CURLOPT_UPLOAD, 0); + curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1); + curl_easy_setopt(slot->curl, CURLOPT_FAILONERROR, 1); ++#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY ++ curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods); ++#endif + if (http_auth.password) + init_curl_http_auth(slot->curl); + +@@ -856,6 +862,9 @@ int handle_curl_result(struct slot_results *results) + credential_reject(&http_auth); + return HTTP_NOAUTH; + } else { ++#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY ++ http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE; ++#endif + credential_fill(&http_auth); + return HTTP_REAUTH; + } +-- +2.13.5 + diff --git a/SOURCES/git-request-pull-fix.patch b/SOURCES/git-request-pull-fix.patch new file mode 100644 index 0000000..264985d --- /dev/null +++ b/SOURCES/git-request-pull-fix.patch @@ -0,0 +1,13 @@ +diff --git a/git-request-pull.sh b/git-request-pull.sh +index d566015..71abbf4 100755 +--- a/git-request-pull.sh ++++ b/git-request-pull.sh +@@ -79,7 +79,7 @@ find_matching_ref=' + my ($sha1, $ref, $deref) = /^(\S+)\s+(\S+?)(\^\{\})?$/; + next unless ($sha1 eq $ARGV[1]); + $found = abbr($ref); +- if ($deref && $ref eq "tags/$ARGV[2]") { ++ if ($deref && $ref eq "refs/tags/$ARGV[2]") { + $tagged = $found; + last; + } diff --git a/SPECS/git.spec b/SPECS/git.spec index b63df43..8f26a1f 100644 --- a/SPECS/git.spec +++ b/SPECS/git.spec @@ -51,7 +51,7 @@ Name: git Version: 1.8.3.1 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -83,7 +83,10 @@ Patch9: 0003-transport-refactor-protocol-whitelist-code.patch Patch10: 0004-http-limit-redirection-to-protocol-whitelist.patch Patch11: 0005-http-limit-redirection-depth.patch +# various non-CVE bugs Patch13: 0001-http-control-GSSAPI-credential-delegation.patch +Patch17: 0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch +Patch18: git-request-pull-fix.patch # CVE Patch12: 0001-Fix-CVE-2016-2315-CVE-2016-2324.patch @@ -343,6 +346,8 @@ Requires: emacs-git = %{version}-%{release} %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 %if %{use_prebuilt_docs} mkdir -p prebuilt_docs/{html,man} @@ -668,6 +673,12 @@ rm -rf %{buildroot} # No files for you! %changelog +* Wed Sep 13 2017 Petr Stodulka - 1.8.3.1-13 +- fall back to Basic auth if Negotiate fails + Resolves: #1490998 +- handle request-pull when multiple tags point to the same commit + Resolves: #1192146 + * Fri Aug 11 2017 Petr Stodulka - 1.8.3.1-12 - prevent command injection via malicious ssh URLs Resolves: CVE-2017-1000117