diff --git a/SOURCES/0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch b/SOURCES/0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
new file mode 100644
index 0000000..f7c1509
--- /dev/null
+++ b/SOURCES/0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
@@ -0,0 +1,73 @@
+From aedeaaf788bd8a7fc5a1887196b6f6d8a5c31362 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Sun, 21 Aug 2022 13:49:57 -0400
+Subject: [PATCH] t/lib-httpd: try harder to find a port for apache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When running multiple builds concurrently, tests which run daemons, like
+apache httpd, sometimes conflict with each other, leading to spurious
+failures:
+
+ ++ /usr/sbin/httpd -d '/tmp/git-t.ck9I/trash directory.t9118-git-svn-funky-branch-names/httpd' \
+ -f /builddir/build/BUILD/git-2.37.2/t/lib-httpd/apache.conf -DDAV -DSVN -c 'Listen 127.0.0.1:9118' \
+ -k start
+ (98)Address already in use: AH00072: make_sock: could not bind to address 127.0.0.1:9118
+ no listening sockets available, shutting down
+ AH00015: Unable to open logs
+ ++ test 1 -ne 0
+
+Try a bit harder to find an open port to use to avoid these intermittent
+failures. If we fail to start httpd, increment the port number and try
+again. By default, we make 3 attempts. This may be overridden by
+setting GIT_TEST_START_HTTPD_TRIES to a different value.
+
+Helped-by: Ondřej Pohořelský <opohorel@redhat.com>
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-httpd.sh | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
+index 1f6b9b08d1..9279dcd659 100644
+--- a/t/lib-httpd.sh
++++ b/t/lib-httpd.sh
+@@ -175,19 +175,26 @@ prepare_httpd() {
+ }
+
+ start_httpd() {
+- prepare_httpd >&3 2>&4
+-
+ test_atexit stop_httpd
+
+- "$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
+- -f "$TEST_PATH/apache.conf" $HTTPD_PARA \
+- -c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
+- >&3 2>&4
+- if test $? -ne 0
+- then
+- cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
+- test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
+- fi
++ i=0
++ while test $i -lt ${GIT_TEST_START_HTTPD_TRIES:-3}
++ do
++ i=$(($i + 1))
++ prepare_httpd >&3 2>&4
++ say >&3 "Starting httpd on port $LIB_HTTPD_PORT"
++ "$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
++ -f "$TEST_PATH/apache.conf" $HTTPD_PARA \
++ -c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
++ >&3 2>&4
++ test $? -eq 0 && return
++ LIB_HTTPD_PORT=$(($LIB_HTTPD_PORT + 1))
++ export LIB_HTTPD_PORT
++ # clean up modules symlink, prepare_httpd will re-create it
++ rm -f "$HTTPD_ROOT_PATH/modules"
++ done
++ cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
++ test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
+ }
+
+ stop_httpd() {
diff --git a/SOURCES/0002-t-lib-git-daemon-try-harder-to-find-a-port.patch b/SOURCES/0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
new file mode 100644
index 0000000..4540b63
--- /dev/null
+++ b/SOURCES/0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
@@ -0,0 +1,88 @@
+From 16750d024ce038b019ab2e9ee5639901e445af37 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 26 Aug 2022 18:28:44 -0400
+Subject: [PATCH] t/lib-git-daemon: try harder to find a port
+
+As with the previous commit, try harder to find an open port to avoid
+intermittent failures on busy/shared build systems.
+
+By default, we make 3 attempts. This may be overridden by setting
+GIT_TEST_START_GIT_DAEMON_TRIES to a different value.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-git-daemon.sh | 60 ++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 23 deletions(-)
+
+diff --git a/t/lib-git-daemon.sh b/t/lib-git-daemon.sh
+index e62569222b..c3e8dda9ff 100644
+--- a/t/lib-git-daemon.sh
++++ b/t/lib-git-daemon.sh
+@@ -51,30 +51,44 @@ start_git_daemon() {
+ registered_stop_git_daemon_atexit_handler=AlreadyDone
+ fi
+
+- say >&3 "Starting git daemon ..."
+- mkfifo git_daemon_output
+- ${LIB_GIT_DAEMON_COMMAND:-git daemon} \
+- --listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
+- --reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
+- --base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+- "$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+- >&3 2>git_daemon_output &
+- GIT_DAEMON_PID=$!
+- {
+- read -r line <&7
+- printf "%s\n" "$line" >&4
+- cat <&7 >&4 &
+- } 7<git_daemon_output &&
++ i=0
++ while test $i -lt ${GIT_TEST_START_GIT_DAEMON_TRIES:-3}
++ do
++ say >&3 "Starting git daemon on port $LIB_GIT_DAEMON_PORT ..."
++ mkfifo git_daemon_output
++ ${LIB_GIT_DAEMON_COMMAND:-git daemon} \
++ --listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
++ --reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
++ --base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
++ "$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
++ >&3 2>git_daemon_output &
++ GIT_DAEMON_PID=$!
++ {
++ read -r line <&7
++ printf "%s\n" "$line" >&4
++ cat <&7 >&4 &
++ } 7<git_daemon_output &&
+
+- # Check expected output
+- if test x"$(expr "$line" : "\[[0-9]*\] \(.*\)")" != x"Ready to rumble"
+- then
+- kill "$GIT_DAEMON_PID"
+- wait "$GIT_DAEMON_PID"
+- unset GIT_DAEMON_PID
+- test_skip_or_die GIT_TEST_GIT_DAEMON \
+- "git daemon failed to start"
+- fi
++ # Check expected output
++ output="$(expr "$line" : "\[[0-9]*\] \(.*\)")"
++ # Return if found
++ test x"$output" = x"Ready to rumble" && return
++ # Increment port for retry if not found
++ LIB_GIT_DAEMON_PORT=$(($LIB_GIT_DAEMON_PORT + 1))
++ export LIB_GIT_DAEMON_PORT
++ GIT_DAEMON_HOST_PORT=127.0.0.1:$LIB_GIT_DAEMON_PORT
++ GIT_DAEMON_URL=git://$GIT_DAEMON_HOST_PORT
++ # unset GIT_DAEMON_PID; remove the fifo & pid file
++ GIT_DAEMON_PID=
++ rm -f git_daemon_output "$GIT_DAEMON_PIDFILE"
++ done
++
++ # Clean up and return failure
++ kill "$GIT_DAEMON_PID"
++ wait "$GIT_DAEMON_PID"
++ unset GIT_DAEMON_PID
++ test_skip_or_die GIT_TEST_GIT_DAEMON \
++ "git daemon failed to start"
+ }
+
+ stop_git_daemon() {
diff --git a/SOURCES/git-2.31.1-cve-2022-23521-cve-2022-41903.patch b/SOURCES/git-2.31.1-cve-2022-23521-cve-2022-41903.patch
new file mode 100644
index 0000000..c6f552e
--- /dev/null
+++ b/SOURCES/git-2.31.1-cve-2022-23521-cve-2022-41903.patch
@@ -0,0 +1,745 @@
+diff -ur b/attr.c a/attr.c
+--- b/attr.c 2021-03-26 23:03:34.000000000 +0100
++++ a/attr.c 2023-01-25 17:55:11.665410385 +0100
+@@ -28,7 +28,7 @@
+ #endif
+
+ struct git_attr {
+- int attr_nr; /* unique attribute number */
++ unsigned int attr_nr; /* unique attribute number */
+ char name[FLEX_ARRAY]; /* attribute name */
+ };
+
+@@ -210,7 +210,7 @@
+ * dictionary. If no entry is found, create a new attribute and store it in
+ * the dictionary.
+ */
+-static const struct git_attr *git_attr_internal(const char *name, int namelen)
++static const struct git_attr *git_attr_internal(const char *name, size_t namelen)
+ {
+ struct git_attr *a;
+
+@@ -226,8 +226,8 @@
+ a->attr_nr = hashmap_get_size(&g_attr_hashmap.map);
+
+ attr_hashmap_add(&g_attr_hashmap, a->name, namelen, a);
+- assert(a->attr_nr ==
+- (hashmap_get_size(&g_attr_hashmap.map) - 1));
++ if (a->attr_nr != hashmap_get_size(&g_attr_hashmap.map) - 1)
++ die(_("unable to add additional attribute"));
+ }
+
+ hashmap_unlock(&g_attr_hashmap);
+@@ -272,7 +272,7 @@
+ const struct git_attr *attr;
+ } u;
+ char is_macro;
+- unsigned num_attr;
++ size_t num_attr;
+ struct attr_state state[FLEX_ARRAY];
+ };
+
+@@ -289,7 +289,7 @@
+ struct attr_state *e)
+ {
+ const char *ep, *equals;
+- int len;
++ size_t len;
+
+ ep = cp + strcspn(cp, blank);
+ equals = strchr(cp, '=');
+@@ -333,8 +333,7 @@
+ static struct match_attr *parse_attr_line(const char *line, const char *src,
+ int lineno, int macro_ok)
+ {
+- int namelen;
+- int num_attr, i;
++ size_t namelen, num_attr, i;
+ const char *cp, *name, *states;
+ struct match_attr *res = NULL;
+ int is_macro;
+@@ -345,6 +344,11 @@
+ return NULL;
+ name = cp;
+
++ if (strlen(line) >= ATTR_MAX_LINE_LENGTH) {
++ warning(_("ignoring overly long attributes line %d"), lineno);
++ return NULL;
++ }
++
+ if (*cp == '"' && !unquote_c_style(&pattern, name, &states)) {
+ name = pattern.buf;
+ namelen = pattern.len;
+@@ -381,10 +385,9 @@
+ goto fail_return;
+ }
+
+- res = xcalloc(1,
+- sizeof(*res) +
+- sizeof(struct attr_state) * num_attr +
+- (is_macro ? 0 : namelen + 1));
++ res = xcalloc(1, st_add3(sizeof(*res),
++ st_mult(sizeof(struct attr_state), num_attr),
++ is_macro ? 0 : namelen + 1));
+ if (is_macro) {
+ res->u.attr = git_attr_internal(name, namelen);
+ } else {
+@@ -447,11 +450,12 @@
+
+ static void attr_stack_free(struct attr_stack *e)
+ {
+- int i;
++ unsigned i;
+ free(e->origin);
+ for (i = 0; i < e->num_matches; i++) {
+ struct match_attr *a = e->attrs[i];
+- int j;
++ size_t j;
++
+ for (j = 0; j < a->num_attr; j++) {
+ const char *setto = a->state[j].setto;
+ if (setto == ATTR__TRUE ||
+@@ -660,8 +664,8 @@
+ a = parse_attr_line(line, src, lineno, macro_ok);
+ if (!a)
+ return;
+- ALLOC_GROW(res->attrs, res->num_matches + 1, res->alloc);
+- res->attrs[res->num_matches++] = a;
++ ALLOC_GROW_BY(res->attrs, res->num_matches, 1, res->alloc);
++ res->attrs[res->num_matches - 1] = a;
+ }
+
+ static struct attr_stack *read_attr_from_array(const char **list)
+@@ -700,21 +704,37 @@
+
+ static struct attr_stack *read_attr_from_file(const char *path, int macro_ok)
+ {
++ struct strbuf buf = STRBUF_INIT;
+ FILE *fp = fopen_or_warn(path, "r");
+ struct attr_stack *res;
+- char buf[2048];
+ int lineno = 0;
++ int fd;
++ struct stat st;
+
+ if (!fp)
+ return NULL;
++
++ fd = fileno(fp);
++ if (fstat(fd, &st)) {
++ warning_errno(_("cannot fstat gitattributes file '%s'"), path);
++ fclose(fp);
++ return NULL;
++ }
++ if (st.st_size >= ATTR_MAX_FILE_SIZE) {
++ warning(_("ignoring overly large gitattributes file '%s'"), path);
++ fclose(fp);
++ return NULL;
++ }
++
+ CALLOC_ARRAY(res, 1);
+- while (fgets(buf, sizeof(buf), fp)) {
+- char *bufp = buf;
+- if (!lineno)
+- skip_utf8_bom(&bufp, strlen(bufp));
+- handle_attr_line(res, bufp, path, ++lineno, macro_ok);
++ while (strbuf_getline(&buf, fp) != EOF) {
++ if (!lineno && starts_with(buf.buf, utf8_bom))
++ strbuf_remove(&buf, 0, strlen(utf8_bom));
++ handle_attr_line(res, buf.buf, path, ++lineno, macro_ok);
+ }
++
+ fclose(fp);
++ strbuf_release(&buf);
+ return res;
+ }
+
+@@ -725,13 +745,18 @@
+ struct attr_stack *res;
+ char *buf, *sp;
+ int lineno = 0;
++ size_t size;
+
+ if (!istate)
+ return NULL;
+
+- buf = read_blob_data_from_index(istate, path, NULL);
++ buf = read_blob_data_from_index(istate, path, &size);
+ if (!buf)
+ return NULL;
++ if (size >= ATTR_MAX_FILE_SIZE) {
++ warning(_("ignoring overly large gitattributes blob '%s'"), path);
++ return NULL;
++ }
+
+ CALLOC_ARRAY(res, 1);
+ for (sp = buf; *sp; ) {
+@@ -1001,12 +1026,12 @@
+ static int fill_one(const char *what, struct all_attrs_item *all_attrs,
+ const struct match_attr *a, int rem)
+ {
+- int i;
++ size_t i;
+
+- for (i = a->num_attr - 1; rem > 0 && i >= 0; i--) {
+- const struct git_attr *attr = a->state[i].attr;
++ for (i = a->num_attr; rem > 0 && i > 0; i--) {
++ const struct git_attr *attr = a->state[i - 1].attr;
+ const char **n = &(all_attrs[attr->attr_nr].value);
+- const char *v = a->state[i].setto;
++ const char *v = a->state[i - 1].setto;
+
+ if (*n == ATTR__UNKNOWN) {
+ debug_set(what,
+@@ -1025,11 +1050,11 @@
+ struct all_attrs_item *all_attrs, int rem)
+ {
+ for (; rem > 0 && stack; stack = stack->prev) {
+- int i;
++ unsigned i;
+ const char *base = stack->origin ? stack->origin : "";
+
+- for (i = stack->num_matches - 1; 0 < rem && 0 <= i; i--) {
+- const struct match_attr *a = stack->attrs[i];
++ for (i = stack->num_matches; 0 < rem && 0 < i; i--) {
++ const struct match_attr *a = stack->attrs[i - 1];
+ if (a->is_macro)
+ continue;
+ if (path_matches(path, pathlen, basename_offset,
+@@ -1060,11 +1085,11 @@
+ const struct attr_stack *stack)
+ {
+ for (; stack; stack = stack->prev) {
+- int i;
+- for (i = stack->num_matches - 1; i >= 0; i--) {
+- const struct match_attr *ma = stack->attrs[i];
++ unsigned i;
++ for (i = stack->num_matches; i > 0; i--) {
++ const struct match_attr *ma = stack->attrs[i - 1];
+ if (ma->is_macro) {
+- int n = ma->u.attr->attr_nr;
++ unsigned int n = ma->u.attr->attr_nr;
+ if (!all_attrs[n].macro) {
+ all_attrs[n].macro = ma;
+ }
+@@ -1116,7 +1141,7 @@
+ collect_some_attrs(istate, path, check);
+
+ for (i = 0; i < check->nr; i++) {
+- size_t n = check->items[i].attr->attr_nr;
++ unsigned int n = check->items[i].attr->attr_nr;
+ const char *value = check->all_attrs[n].value;
+ if (value == ATTR__UNKNOWN)
+ value = ATTR__UNSET;
+diff -ur b/attr.h a/attr.h
+--- b/attr.h 2021-03-26 23:03:34.000000000 +0100
++++ a/attr.h 2023-01-25 17:55:44.310607076 +0100
+@@ -107,6 +107,18 @@
+ * - Free the `attr_check` struct by calling `attr_check_free()`.
+ */
+
++/**
++ * The maximum line length for a gitattributes file. If the line exceeds this
++ * length we will ignore it.
++ */
++#define ATTR_MAX_LINE_LENGTH 2048
++
++ /**
++ * The maximum size of the giattributes file. If the file exceeds this size we
++ * will ignore it.
++ */
++#define ATTR_MAX_FILE_SIZE (100 * 1024 * 1024)
++
+ struct index_state;
+
+ /**
+diff -ur b/column.c a/column.c
+--- b/column.c 2021-03-26 23:03:34.000000000 +0100
++++ a/column.c 2023-01-25 17:35:25.867526707 +0100
+@@ -23,7 +23,7 @@
+ /* return length of 's' in letters, ANSI escapes stripped */
+ static int item_length(const char *s)
+ {
+- return utf8_strnwidth(s, -1, 1);
++ return utf8_strnwidth(s, strlen(s), 1);
+ }
+
+ /*
+diff -ur b/git-compat-util.h a/git-compat-util.h
+--- b/git-compat-util.h 2021-03-26 23:03:34.000000000 +0100
++++ a/git-compat-util.h 2023-01-25 17:36:06.128731483 +0100
+@@ -854,6 +854,14 @@
+ return a - b;
+ }
+
++static inline int cast_size_t_to_int(size_t a)
++{
++ if (a > INT_MAX)
++ die("number too large to represent as int on this platform: %"PRIuMAX,
++ (uintmax_t)a);
++ return (int)a;
++}
++
+ #ifdef HAVE_ALLOCA_H
+ # include <alloca.h>
+ # define xalloca(size) (alloca(size))
+diff -ur b/pretty.c a/pretty.c
+--- b/pretty.c 2021-03-26 23:03:34.000000000 +0100
++++ a/pretty.c 2023-01-25 17:39:45.405061148 +0100
+@@ -13,6 +13,13 @@
+ #include "gpg-interface.h"
+ #include "trailer.h"
+
++/*
++ * The limit for formatting directives, which enable the caller to append
++ * arbitrarily many bytes to the formatted buffer. This includes padding
++ * and wrapping formatters.
++ */
++#define FORMATTING_LIMIT (16 * 1024)
++
+ static char *user_format;
+ static struct cmt_fmt_map {
+ const char *name;
+@@ -916,7 +923,9 @@
+ if (pos)
+ strbuf_add(&tmp, sb->buf, pos);
+ strbuf_add_wrapped_text(&tmp, sb->buf + pos,
+- (int) indent1, (int) indent2, (int) width);
++ cast_size_t_to_int(indent1),
++ cast_size_t_to_int(indent2),
++ cast_size_t_to_int(width));
+ strbuf_swap(&tmp, sb);
+ strbuf_release(&tmp);
+ }
+@@ -1042,9 +1051,18 @@
+ const char *end = start + strcspn(start, ",)");
+ char *next;
+ int width;
+- if (!end || end == start)
++ if (!*end || end == start)
+ return 0;
+ width = strtol(start, &next, 10);
++
++ /*
++ * We need to limit the amount of padding, or otherwise this
++ * would allow the user to pad the buffer by arbitrarily many
++ * bytes and thus cause resource exhaustion.
++ */
++ if (width < -FORMATTING_LIMIT || width > FORMATTING_LIMIT)
++ return 0;
++
+ if (next == start || width == 0)
+ return 0;
+ if (width < 0) {
+@@ -1260,6 +1278,16 @@
+ }
+ if (*next != ')')
+ return 0;
++
++ /*
++ * We need to limit the format here as it allows the
++ * user to prepend arbitrarily many bytes to the buffer
++ * when rewrapping.
++ */
++ if (width > FORMATTING_LIMIT ||
++ indent1 > FORMATTING_LIMIT ||
++ indent2 > FORMATTING_LIMIT)
++ return 0;
+ }
+ rewrap_message_tail(sb, c, width, indent1, indent2);
+ return end - placeholder + 1;
+@@ -1507,19 +1535,21 @@
+ struct format_commit_context *c)
+ {
+ struct strbuf local_sb = STRBUF_INIT;
+- int total_consumed = 0, len, padding = c->padding;
++ size_t total_consumed = 0;
++ int len, padding = c->padding;
++
+ if (padding < 0) {
+ const char *start = strrchr(sb->buf, '\n');
+ int occupied;
+ if (!start)
+ start = sb->buf;
+- occupied = utf8_strnwidth(start, -1, 1);
++ occupied = utf8_strnwidth(start, strlen(start), 1);
+ occupied += c->pretty_ctx->graph_width;
+ padding = (-padding) - occupied;
+ }
+ while (1) {
+ int modifier = *placeholder == 'C';
+- int consumed = format_commit_one(&local_sb, placeholder, c);
++ size_t consumed = format_commit_one(&local_sb, placeholder, c);
+ total_consumed += consumed;
+
+ if (!modifier)
+@@ -1531,7 +1561,7 @@
+ placeholder++;
+ total_consumed++;
+ }
+- len = utf8_strnwidth(local_sb.buf, -1, 1);
++ len = utf8_strnwidth(local_sb.buf, local_sb.len, 1);
+
+ if (c->flush_type == flush_left_and_steal) {
+ const char *ch = sb->buf + sb->len - 1;
+@@ -1546,7 +1576,7 @@
+ if (*ch != 'm')
+ break;
+ p = ch - 1;
+- while (ch - p < 10 && *p != '\033')
++ while (p > sb->buf && ch - p < 10 && *p != '\033')
+ p--;
+ if (*p != '\033' ||
+ ch + 1 - p != display_mode_esc_sequence_len(p))
+@@ -1585,7 +1615,7 @@
+ }
+ strbuf_addbuf(sb, &local_sb);
+ } else {
+- int sb_len = sb->len, offset = 0;
++ size_t sb_len = sb->len, offset = 0;
+ if (c->flush_type == flush_left)
+ offset = padding - len;
+ else if (c->flush_type == flush_both)
+@@ -1608,8 +1638,7 @@
+ const char *placeholder,
+ void *context)
+ {
+- int consumed;
+- size_t orig_len;
++ size_t consumed, orig_len;
+ enum {
+ NO_MAGIC,
+ ADD_LF_BEFORE_NON_EMPTY,
+@@ -1630,9 +1659,21 @@
+ default:
+ break;
+ }
+- if (magic != NO_MAGIC)
++ if (magic != NO_MAGIC) {
+ placeholder++;
+
++ switch (placeholder[0]) {
++ case 'w':
++ /*
++ * `%+w()` cannot ever expand to a non-empty string,
++ * and it potentially changes the layout of preceding
++ * contents. We're thus not able to handle the magic in
++ * this combination and refuse the pattern.
++ */
++ return 0;
++ };
++ }
++
+ orig_len = sb->len;
+ if (((struct format_commit_context *)context)->flush_type != no_flush)
+ consumed = format_and_pad_commit(sb, placeholder, context);
+diff -ur b/t/t0003-attributes.sh a/t/t0003-attributes.sh
+--- b/t/t0003-attributes.sh 2021-03-26 23:03:34.000000000 +0100
++++ a/t/t0003-attributes.sh 2023-01-25 17:56:18.656788243 +0100
+@@ -339,4 +339,63 @@
+ test_cmp expect actual
+ '
+
++test_expect_success 'large attributes line ignored in tree' '
++ test_when_finished "rm .gitattributes" &&
++ printf "path %02043d" 1 >.gitattributes &&
++ git check-attr --all path >actual 2>err &&
++ echo "warning: ignoring overly long attributes line 1" >expect &&
++ test_cmp expect err &&
++ test_must_be_empty actual
++'
++
++test_expect_success 'large attributes line ignores trailing content in tree' '
++ test_when_finished "rm .gitattributes" &&
++ # older versions of Git broke lines at 2048 bytes; the 2045 bytes
++ # of 0-padding here is accounting for the three bytes of "a 1", which
++ # would knock "trailing" to the "next" line, where it would be
++ # erroneously parsed.
++ printf "a %02045dtrailing attribute\n" 1 >.gitattributes &&
++ git check-attr --all trailing >actual 2>err &&
++ echo "warning: ignoring overly long attributes line 1" >expect &&
++ test_cmp expect err &&
++ test_must_be_empty actual
++'
++
++test_expect_success EXPENSIVE 'large attributes file ignored in tree' '
++ test_when_finished "rm .gitattributes" &&
++ dd if=/dev/zero of=.gitattributes bs=101M count=1 2>/dev/null &&
++ git check-attr --all path >/dev/null 2>err &&
++ echo "warning: ignoring overly large gitattributes file ${SQ}.gitattributes${SQ}" >expect &&
++ test_cmp expect err
++'
++
++test_expect_success 'large attributes line ignored in index' '
++ test_when_finished "git update-index --remove .gitattributes" &&
++ blob=$(printf "path %02043d" 1 | git hash-object -w --stdin) &&
++ git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
++ git check-attr --cached --all path >actual 2>err &&
++ echo "warning: ignoring overly long attributes line 1" >expect &&
++ test_cmp expect err &&
++ test_must_be_empty actual
++'
++
++test_expect_success 'large attributes line ignores trailing content in index' '
++ test_when_finished "git update-index --remove .gitattributes" &&
++ blob=$(printf "a %02045dtrailing attribute\n" 1 | git hash-object -w --stdin) &&
++ git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
++ git check-attr --cached --all trailing >actual 2>err &&
++ echo "warning: ignoring overly long attributes line 1" >expect &&
++ test_cmp expect err &&
++ test_must_be_empty actual
++'
++
++test_expect_success EXPENSIVE 'large attributes file ignored in index' '
++ test_when_finished "git update-index --remove .gitattributes" &&
++ blob=$(dd if=/dev/zero bs=101M count=1 2>/dev/null | git hash-object -w --stdin) &&
++ git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
++ git check-attr --cached --all path >/dev/null 2>err &&
++ echo "warning: ignoring overly large gitattributes blob ${SQ}.gitattributes${SQ}" >expect &&
++ test_cmp expect err
++'
++
+ test_done
+diff -ur b/t/t4205-log-pretty-formats.sh a/t/t4205-log-pretty-formats.sh
+--- b/t/t4205-log-pretty-formats.sh 2021-03-26 23:03:34.000000000 +0100
++++ a/t/t4205-log-pretty-formats.sh 2023-01-25 17:40:19.966850121 +0100
+@@ -962,4 +962,80 @@
+ test_cmp expect actual
+ '
+
++test_expect_success 'log --pretty with space stealing' '
++ printf mm0 >expect &&
++ git log -1 --pretty="format:mm%>>|(1)%x30" >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success 'log --pretty with invalid padding format' '
++ printf "%s%%<(20" "$(git rev-parse HEAD)" >expect &&
++ git log -1 --pretty="format:%H%<(20" >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success 'log --pretty with magical wrapping directives' '
++ commit_id=$(git commit-tree HEAD^{tree} -m "describe me") &&
++ git tag describe-me $commit_id &&
++ printf "\n(tag:\ndescribe-me)%%+w(2)" >expect &&
++ git log -1 --pretty="format:%w(1)%+d%+w(2)" $commit_id >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
++ printf "%%w(2147483649,1,1)0" >expect &&
++ git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual &&
++ test_cmp expect actual &&
++ printf "%%w(1,2147483649,1)0" >expect &&
++ git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual &&
++ test_cmp expect actual &&
++ printf "%%w(1,1,2147483649)0" >expect &&
++ git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' '
++ printf "%%<(2147483649)0" >expect &&
++ git log -1 --pretty="format:%<(2147483649)%x30" >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success 'log --pretty with padding and preceding control chars' '
++ printf "\20\20 0" >expect &&
++ git log -1 --pretty="format:%x10%x10%>|(4)%x30" >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success 'log --pretty truncation with control chars' '
++ test_commit "$(printf "\20\20\20\20xxxx")" file contents commit-with-control-chars &&
++ printf "\20\20\20\20x.." >expect &&
++ git log -1 --pretty="format:%<(3,trunc)%s" commit-with-control-chars >actual &&
++ test_cmp expect actual
++'
++
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
++ # We only assert that this command does not crash. This needs to be
++ # executed with the address sanitizer to demonstrate failure.
++ git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null
++'
++
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' '
++ test-tool genzeros 2147483649 | tr "\000" "1" >expect &&
++ huge_commit=$(git commit-tree -F expect HEAD^{tree})
++'
++
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
++ git log -1 --format="%B%<(1)%x30" $huge_commit >actual &&
++ echo 0 >>expect &&
++ test_cmp expect actual
++'
++
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message does not cause allocation failure' '
++ test_must_fail git log -1 --format="%<(1)%B" $huge_commit 2>error &&
++ cat >expect <<-EOF &&
++ fatal: number too large to represent as int on this platform: 2147483649
++ EOF
++ test_cmp expect error
++'
++
+ test_done
+diff -ur b/t/test-lib.sh a/t/test-lib.sh
+--- b/t/test-lib.sh 2021-03-26 23:03:34.000000000 +0100
++++ a/t/test-lib.sh 2023-01-25 17:41:35.007391936 +0100
+@@ -1635,6 +1635,10 @@
+ sed -ne "s/^$1: //p"
+ }
+
++test_lazy_prereq SIZE_T_IS_64BIT '
++ test 8 -eq "$(build_option sizeof-size_t)"
++'
++
+ test_lazy_prereq LONG_IS_64BIT '
+ test 8 -le "$(build_option sizeof-long)"
+ '
+diff -ur b/utf8.c a/utf8.c
+--- b/utf8.c 2021-03-26 23:03:34.000000000 +0100
++++ a/utf8.c 2023-01-25 18:34:55.927040924 +0100
+@@ -206,26 +206,34 @@
+ * string, assuming that the string is utf8. Returns strlen() instead
+ * if the string does not look like a valid utf8 string.
+ */
+-int utf8_strnwidth(const char *string, int len, int skip_ansi)
++int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
+ {
+- int width = 0;
+ const char *orig = string;
++ size_t width = 0;
+
+- if (len == -1)
+- len = strlen(string);
+ while (string && string < orig + len) {
+- int skip;
++ int glyph_width;
++ size_t skip;
++
+ while (skip_ansi &&
+ (skip = display_mode_esc_sequence_len(string)) != 0)
+ string += skip;
+- width += utf8_width(&string, NULL);
++
++ glyph_width = utf8_width(&string, NULL);
++ if (glyph_width > 0)
++ width += glyph_width;
+ }
+- return string ? width : len;
++
++ /*
++ * TODO: fix the interface of this function and `utf8_strwidth()` to
++ * return `size_t` instead of `int`.
++ */
++ return cast_size_t_to_int(string ? width : len);
+ }
+
+ int utf8_strwidth(const char *string)
+ {
+- return utf8_strnwidth(string, -1, 0);
++ return utf8_strnwidth(string, strlen(string), 0);
+ }
+
+ int is_utf8(const char *text)
+@@ -357,51 +365,51 @@
+ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+ const char *subst)
+ {
+- struct strbuf sb_dst = STRBUF_INIT;
+- char *src = sb_src->buf;
+- char *end = src + sb_src->len;
+- char *dst;
+- int w = 0, subst_len = 0;
+-
+- if (subst)
+- subst_len = strlen(subst);
+- strbuf_grow(&sb_dst, sb_src->len + subst_len);
+- dst = sb_dst.buf;
++ const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len;
++ struct strbuf dst;
++ int w = 0;
++
++ strbuf_init(&dst, sb_src->len);
+
+ while (src < end) {
+- char *old;
++ const char *old;
++ int glyph_width;
+ size_t n;
+
+ while ((n = display_mode_esc_sequence_len(src))) {
+- memcpy(dst, src, n);
++ strbuf_add(&dst, src, n);
+ src += n;
+- dst += n;
+ }
+
+ if (src >= end)
+ break;
+
+ old = src;
+- n = utf8_width((const char**)&src, NULL);
+- if (!src) /* broken utf-8, do nothing */
++ glyph_width = utf8_width((const char**)&src, NULL);
++ if (!src) /* broken utf-8, do nothing */
+ goto out;
+- if (n && w >= pos && w < pos + width) {
++
++ /*
++ * In case we see a control character we copy it into the
++ * buffer, but don't add it to the width.
++ */
++ if (glyph_width < 0)
++ glyph_width = 0;
++
++ if (glyph_width && w >= pos && w < pos + width) {
+ if (subst) {
+- memcpy(dst, subst, subst_len);
+- dst += subst_len;
++ strbuf_addstr(&dst, subst);
+ subst = NULL;
+ }
+- w += n;
+- continue;
++ } else {
++ strbuf_add(&dst, old, src - old);
+ }
+- memcpy(dst, old, src - old);
+- dst += src - old;
+- w += n;
++
++ w += glyph_width;
+ }
+- strbuf_setlen(&sb_dst, dst - sb_dst.buf);
+- strbuf_swap(sb_src, &sb_dst);
++ strbuf_swap(sb_src, &dst);
+ out:
+- strbuf_release(&sb_dst);
++ strbuf_release(&dst);
+ }
+
+ /*
+@@ -791,7 +799,7 @@
+ void strbuf_utf8_align(struct strbuf *buf, align_type position, unsigned int width,
+ const char *s)
+ {
+- int slen = strlen(s);
++ size_t slen = strlen(s);
+ int display_len = utf8_strnwidth(s, slen, 0);
+ int utf8_compensation = slen - display_len;
+
+diff -ur b/utf8.h a/utf8.h
+--- b/utf8.h 2021-03-26 23:03:34.000000000 +0100
++++ a/utf8.h 2023-01-25 17:22:31.971590518 +0100
+@@ -7,7 +7,7 @@
+
+ size_t display_mode_esc_sequence_len(const char *s);
+ int utf8_width(const char **start, size_t *remainder_p);
+-int utf8_strnwidth(const char *string, int len, int skip_ansi);
++int utf8_strnwidth(const char *string, size_t len, int skip_ansi);
+ int utf8_strwidth(const char *string);
+ int is_utf8(const char *text);
+ int is_encoding_utf8(const char *name);
diff --git a/SOURCES/t-lib-git-svn-try-harder-to-find-a-port-2.31.1.patch b/SOURCES/t-lib-git-svn-try-harder-to-find-a-port-2.31.1.patch
new file mode 100644
index 0000000..3459494
--- /dev/null
+++ b/SOURCES/t-lib-git-svn-try-harder-to-find-a-port-2.31.1.patch
@@ -0,0 +1,62 @@
+diff -ur b/t/lib-git-svn.sh c/t/lib-git-svn.sh
+--- b/t/lib-git-svn.sh 2021-03-26 23:03:34.000000000 +0100
++++ c/t/lib-git-svn.sh 2023-01-26 13:39:32.822183929 +0100
+@@ -13,6 +13,7 @@
+ GIT_DIR=$PWD/.git
+ GIT_SVN_DIR=$GIT_DIR/svn/refs/remotes/git-svn
+ SVN_TREE=$GIT_SVN_DIR/svn-tree
++SVNSERVE_PIDFILE="$PWD"/daemon.pid
+ test_set_port SVNSERVE_PORT
+
+ svn >/dev/null 2>&1
+@@ -115,10 +116,35 @@
+ }
+
+ start_svnserve () {
+- svnserve --listen-port $SVNSERVE_PORT \
+- --root "$rawsvnrepo" \
+- --listen-once \
+- --listen-host 127.0.0.1 &
++ test_atexit stop_svnserve
++
++ i=0
++ while test $i -lt ${GIT_TEST_START_SVNSERVE_TRIES:-3}
++ do
++ say >&3 "Starting svnserve on port $SVNSERVE_PORT ..."
++ svnserve --listen-port $SVNSERVE_PORT \
++ --root "$rawsvnrepo" \
++ --daemon --pid-file="$SVNSERVE_PIDFILE" \
++ --listen-host 127.0.0.1
++ ret=$?
++ # increment port and retry if unsuccessful
++ if test $ret -ne 0
++ then
++ SVNSERVE_PORT=$(($SVNSERVE_PORT + 1))
++ export SVNSERVE_PORT
++ else
++ break
++ fi
++ done
++}
++
++stop_svnserve () {
++ say >&3 "Stopping svnserve ..."
++ SVNSERVE_PID="$(cat "$SVNSERVE_PIDFILE")"
++ if test -n "$SVNSERVE_PID"
++ then
++ kill "$SVNSERVE_PID" 2>/dev/null
++ fi
+ }
+
+ prepare_a_utf8_locale () {
+diff -ur b/t/t9113-git-svn-dcommit-new-file.sh c/t/t9113-git-svn-dcommit-new-file.sh
+--- b/t/t9113-git-svn-dcommit-new-file.sh 2021-03-26 23:03:34.000000000 +0100
++++ c/t/t9113-git-svn-dcommit-new-file.sh 2023-01-26 13:39:30.314168109 +0100
+@@ -28,7 +28,6 @@
+ echo hello > git-new-dir/world &&
+ git update-index --add git-new-dir/world &&
+ git commit -m hello &&
+- start_svnserve &&
+ git svn dcommit
+ "
+
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 3dbf9fd..ad4a7dc 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -90,7 +90,7 @@
Name: git
Version: 2.31.1
-Release: 2%{?rcrev}%{?dist}
+Release: 3%{?rcrev}%{?dist}
Summary: Fast Version Control System
License: GPLv2
URL: https://git-scm.com/
@@ -124,6 +124,18 @@ Patch0: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
Patch1: 0001-Switch-git-instaweb-default-to-apache-2.26.2.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1619113
Patch2: git-2.27.0-core-crypto-hmac.patch
+# https://bugzilla.redhat.com/2162069
+Patch3: git-2.31.1-cve-2022-23521-cve-2022-41903.patch
+
+# https://bugzilla.redhat.com/2114531
+# tests: try harder to find open ports for apache, git, and svn
+#
+# https://github.com/tmzullinger/git/commit/aedeaaf788
+Patch4: 0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
+# https://github.com/tmzullinger/git/commit/16750d024c
+Patch5: 0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
+# https://github.com/tmzullinger/git/commit/aa5105dc11
+Patch6: t-lib-git-svn-try-harder-to-find-a-port-2.31.1.patch
%if %{with docs}
# pod2man is needed to build Git.3pm
@@ -1068,6 +1080,11 @@ rmdir --ignore-fail-on-non-empty "$testdir"
%{?with_docs:%{_pkgdocdir}/git-svn.html}
%changelog
+* Wed Jan 25 2023 Ondřej Pohořelský <opohorel@redhat.com> - 2.31.1-3
+- Fixes CVE-2022-23521 and CVE-2022-41903
+- Tests: try harder to find open ports for apache, git, and svn
+- Resolves: #2162063
+
* Thu Nov 25 2021 Ondrej Pohorelsky <opohorel@redhat.com> - 2.31.1-2
- Remove perl(Email::Valid) require from git-email
- Related: rhbz#2021547