Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=v2.40.3 2024-05-30T23:57:31Z 2024-05-30T23:57:31Z Junio C Hamano gitster@pobox.com 2024-05-30T23:57:31Z urn:sha1:dbecc617f75eea6ee5d05823a38b91223ff22b11 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-05-30T23:54:42Z Junio C Hamano gitster@pobox.com 2024-05-30T23:54:42Z urn:sha1:75e7cd2bd097a44ccf8587d6143c4ae4d2755434 * fixes/2.45.1/2.40: Revert "fsck: warn about symlink pointing inside a gitdir" Revert "Add a helper function to compare file contents" clone: drop the protections where hooks aren't run tests: verify that `clone -c core.hooksPath=/dev/null` works again Revert "core.hooksPath: add some protection while cloning" init: use the correct path of the templates directory again hook: plug a new memory leak ci: stop installing "gcc-13" for osx-gcc ci: avoid bare "gcc" for osx-gcc job ci: drop mention of BREW_INSTALL_PACKAGES variable send-email: avoid creating more than one Term::ReadLine object send-email: drop FakeTerm hack 2024-05-30T23:52:52Z Junio C Hamano gitster@pobox.com 2024-05-30T23:52:52Z urn:sha1:cc7d11c16782041a6bb73e2fb56417b7d4c6d186 2024-05-30T23:38:58Z Junio C Hamano gitster@pobox.com 2024-05-30T23:38:58Z urn:sha1:7eb91521fd0a8337c99fdb40586b90355b6669ac * jc/fix-2.45.1-and-friends-for-2.39: Revert "fsck: warn about symlink pointing inside a gitdir" Revert "Add a helper function to compare file contents" clone: drop the protections where hooks aren't run tests: verify that `clone -c core.hooksPath=/dev/null` works again Revert "core.hooksPath: add some protection while cloning" init: use the correct path of the templates directory again hook: plug a new memory leak ci: stop installing "gcc-13" for osx-gcc ci: avoid bare "gcc" for osx-gcc job ci: drop mention of BREW_INSTALL_PACKAGES variable send-email: avoid creating more than one Term::ReadLine object send-email: drop FakeTerm hack 2024-05-24T19:29:36Z Junio C Hamano gitster@pobox.com 2024-05-24T19:29:35Z urn:sha1:48440f60a730b93b2a39449a69cb56db5e7114c7 Revert overly aggressive "layered defence" that went into 2.45.1 and friends, which broke "git-lfs", "git-annex", and other use cases, so that we can rebuild necessary counterparts in the open. * jc/fix-2.45.1-and-friends-for-2.39: Revert "fsck: warn about symlink pointing inside a gitdir" Revert "Add a helper function to compare file contents" clone: drop the protections where hooks aren't run tests: verify that `clone -c core.hooksPath=/dev/null` works again Revert "core.hooksPath: add some protection while cloning" init: use the correct path of the templates directory again hook: plug a new memory leak ci: stop installing "gcc-13" for osx-gcc ci: avoid bare "gcc" for osx-gcc job ci: drop mention of BREW_INSTALL_PACKAGES variable send-email: avoid creating more than one Term::ReadLine object send-email: drop FakeTerm hack 2024-05-23T04:55:31Z Junio C Hamano gitster@pobox.com 2024-05-23T04:55:31Z urn:sha1:1991703bdbb7839e3b43e0e0238f8efd76c8fe8d This reverts commit a33fea08 (fsck: warn about symlink pointing inside a gitdir, 2024-04-10), which warns against symbolic links commonly created by git-annex. 2024-05-21T19:33:08Z Johannes Schindelin johannes.schindelin@gmx.de 2024-05-20T20:22:05Z urn:sha1:35dfccb2b430ee67fddb7b1a1f8cd7a1a8fb7cbe Now that during a `git clone`, the hooks' contents are no longer compared to the templates' files', the caller for which the `do_files_match()` function was introduced is gone, and therefore this function can be retired, too. This reverts commit 584de0b4c23 (Add a helper function to compare file contents, 2024-03-30). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-05-21T19:33:08Z Johannes Schindelin johannes.schindelin@gmx.de 2024-05-20T20:22:04Z urn:sha1:873a466ea3f233d4fb11f894a311de06939a2a3e As part of the security bug-fix releases v2.39.4, ..., v2.45.1, I introduced logic to safeguard `git clone` from running hooks that were installed _during_ the clone operation. The rationale was that Git's CVE-2024-32002, CVE-2021-21300, CVE-2019-1354, CVE-2019-1353, CVE-2019-1352, and CVE-2019-1349 should have been low-severity vulnerabilities but were elevated to critical/high severity by the attack vector that allows a weakness where files inside `.git/` can be inadvertently written during a `git clone` to escalate to a Remote Code Execution attack by virtue of installing a malicious `post-checkout` hook that Git will then run at the end of the operation without giving the user a chance to see what code is executed. Unfortunately, Git LFS uses a similar strategy to install its own `post-checkout` hook during a `git clone`; In fact, Git LFS is installing four separate hooks while running the `smudge` filter. While this pattern is probably in want of being improved by introducing better support in Git for Git LFS and other tools wishing to register hooks to be run at various stages of Git's commands, let's undo the clone protections to unbreak Git LFS-enabled clones. This reverts commit 8db1e8743c0 (clone: prevent hooks from running during a clone, 2024-03-28). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-05-21T19:33:08Z Johannes Schindelin johannes.schindelin@gmx.de 2024-05-20T20:22:03Z urn:sha1:c8f64781c8b3d44ecb57d14fbffcdbf063583812 As part of the protections added in Git v2.45.1 and friends, repository-local `core.hooksPath` settings are no longer allowed, as a defense-in-depth mechanism to prevent future Git vulnerabilities to raise to critical level if those vulnerabilities inadvertently allow the repository-local config to be written. What the added protection did not anticipate is that such a repository-local `core.hooksPath` can not only be used to point to maliciously-placed scripts in the current worktree, but also to _prevent_ hooks from being called altogether. We just reverted the `core.hooksPath` protections, based on the Git maintainer's recommendation in https://lore.kernel.org/git/xmqq4jaxvm8z.fsf@gitster.g/ to address this concern as well as related ones. Let's make sure that we won't regress while trying to protect the clone operation further. Reported-by: Brooke Kuhlmann <brooke@alchemists.io> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-05-21T19:33:08Z Johannes Schindelin johannes.schindelin@gmx.de 2024-05-20T20:22:02Z urn:sha1:75631a3cd84887657c634a35d1095f4a0884e48a This defense-in-depth was intended to protect the clone operation against future escalations where bugs in `git clone` would allow attackers to write arbitrary files in the `.git/` directory would allow for Remote Code Execution attacks via maliciously-placed hooks. However, it turns out that the `core.hooksPath` protection has unintentional side effects so severe that they do not justify the benefit of the protections. For example, it has been reported in https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/ that the following invocation, which is intended to make `git clone` safer, is itself broken by that protective measure: git clone --config core.hooksPath=/dev/null <url> Since it turns out that the benefit does not justify the cost, let's revert 20f3588efc6 (core.hooksPath: add some protection while cloning, 2024-03-30). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>