Compare commits
No commits in common. "a34c0bb89abb1154108e9d1ab1594c2d2eccebae" and "e8e893c95abcb99ffce4f1a18e13e1164a26e44a" have entirely different histories.
a34c0bb89a
...
e8e893c95a
@ -1,28 +0,0 @@
|
|||||||
From 64ebb9fcdfbe48d5d61141a557691fd91f1e88d6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
|
|
||||||
Date: Tue, 5 Sep 2023 09:51:50 +0200
|
|
||||||
Subject: [PATCH] Fix CVE-2023-41040
|
|
||||||
|
|
||||||
This change adds a check during reference resolving to see if it
|
|
||||||
contains an up-level reference ('..'). If it does, it raises an
|
|
||||||
exception.
|
|
||||||
|
|
||||||
This fixes CVE-2023-41040, which allows an attacker to access files
|
|
||||||
outside the repository's directory.
|
|
||||||
---
|
|
||||||
git/refs/symbolic.py | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
|
|
||||||
index 33c3bf15b..5c293aa7b 100644
|
|
||||||
--- a/git/refs/symbolic.py
|
|
||||||
+++ b/git/refs/symbolic.py
|
|
||||||
@@ -168,6 +168,8 @@ def _get_ref_info_helper(
|
|
||||||
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
|
|
||||||
rela_path points to, or None. target_ref_path is the reference we
|
|
||||||
point to, or None"""
|
|
||||||
+ if ".." in str(ref_path):
|
|
||||||
+ raise ValueError(f"Invalid reference '{ref_path}'")
|
|
||||||
tokens: Union[None, List[str], Tuple[str, str]] = None
|
|
||||||
repodir = _git_dir(repo, ref_path)
|
|
||||||
try:
|
|
||||||
Binary file not shown.
@ -1,96 +0,0 @@
|
|||||||
%global _empty_manifest_terminate_build 0
|
|
||||||
Name: python-GitPython
|
|
||||||
Version: 3.1.32
|
|
||||||
Release: 2
|
|
||||||
Summary: GitPython is a python library used to interact with Git repositories
|
|
||||||
License: BSD-3-Clause
|
|
||||||
URL: https://github.com/gitpython-developers/GitPython
|
|
||||||
Source0: %{pypi_source GitPython}
|
|
||||||
# https://github.com/gitpython-developers/GitPython/commit/64ebb9fcdfbe48d5d61141a557691fd91f1e88d6
|
|
||||||
Patch0: CVE-2023-41040.patch
|
|
||||||
BuildArch: noarch
|
|
||||||
%description
|
|
||||||
GitPython is a python library used to interact with git repositories,
|
|
||||||
high-level like git-porcelain, or low-level like git-plumbing.
|
|
||||||
|
|
||||||
%package -n python3-GitPython
|
|
||||||
Summary: GitPython is a python library used to interact with Git repositories
|
|
||||||
Provides: python-GitPython
|
|
||||||
# Base build requires
|
|
||||||
BuildRequires: python3-devel
|
|
||||||
BuildRequires: python3-setuptools
|
|
||||||
BuildRequires: python3-pbr
|
|
||||||
BuildRequires: python3-pip
|
|
||||||
BuildRequires: python3-wheel
|
|
||||||
# General requires
|
|
||||||
BuildRequires: python3-gitdb
|
|
||||||
# General requires
|
|
||||||
Requires: python3-gitdb
|
|
||||||
%description -n python3-GitPython
|
|
||||||
GitPython is a python library used to interact with git repositories,
|
|
||||||
high-level like git-porcelain, or low-level like git-plumbing.
|
|
||||||
|
|
||||||
%package help
|
|
||||||
Summary: GitPython is a python library used to interact with Git repositories
|
|
||||||
Provides: python3-GitPython-doc
|
|
||||||
%description help
|
|
||||||
GitPython is a python library used to interact with git repositories,
|
|
||||||
high-level like git-porcelain, or low-level like git-plumbing.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -n GitPython-%{version} -p1
|
|
||||||
|
|
||||||
%build
|
|
||||||
%py3_build
|
|
||||||
|
|
||||||
%install
|
|
||||||
%py3_install
|
|
||||||
|
|
||||||
install -d -m755 %{buildroot}/%{_pkgdocdir}
|
|
||||||
if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
|
|
||||||
if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
|
|
||||||
if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
|
|
||||||
if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
|
|
||||||
pushd %{buildroot}
|
|
||||||
if [ -d usr/lib ]; then
|
|
||||||
find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
|
|
||||||
fi
|
|
||||||
if [ -d usr/lib64 ]; then
|
|
||||||
find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
|
|
||||||
fi
|
|
||||||
if [ -d usr/bin ]; then
|
|
||||||
find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
|
|
||||||
fi
|
|
||||||
if [ -d usr/sbin ]; then
|
|
||||||
find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
|
|
||||||
fi
|
|
||||||
touch doclist.lst
|
|
||||||
if [ -d usr/share/man ]; then
|
|
||||||
find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
|
|
||||||
fi
|
|
||||||
popd
|
|
||||||
mv %{buildroot}/filelist.lst .
|
|
||||||
mv %{buildroot}/doclist.lst .
|
|
||||||
|
|
||||||
%files -n python3-GitPython -f filelist.lst
|
|
||||||
%dir %{python3_sitelib}/*
|
|
||||||
|
|
||||||
%files help -f doclist.lst
|
|
||||||
%{_docdir}/*
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Mon Sep 11 2023 yaoxin <yao_xin001@hoperun.com> - 3.1.32-2
|
|
||||||
- Fix CVE-2023-41040
|
|
||||||
|
|
||||||
* Thu Aug 17 2023 yaoxin <yao_xin001@hoperun.com> - 3.1.32-1
|
|
||||||
- Upgrade to 3.1.32 for fix CVE-2022-24439 and CVE-2023-40267
|
|
||||||
|
|
||||||
* Thu Oct 13 2022 wulei <wulei80@h-partners.com> - 3.1.27-1
|
|
||||||
- Upgrade package python3-GitPython to version 3.1.27
|
|
||||||
|
|
||||||
* Fri Jul 09 2021 openstack-sig <openstack@openeuler.org> - 3.1.14-1
|
|
||||||
- update to 3.1.14
|
|
||||||
|
|
||||||
* Mon Oct 26 2020 Jiachen Fan <fanjiachen3@huawei.com> - 3.1.11-1
|
|
||||||
- package init
|
|
||||||
|
|
||||||
@ -1,4 +0,0 @@
|
|||||||
version_control: github
|
|
||||||
src_repo: gitpython-developers/GitPython
|
|
||||||
tag_prefix: ""
|
|
||||||
separator: "."
|
|
||||||
Loading…
x
Reference in New Issue
Block a user