From 1e29cc618f352d22c27509c492ec4930d19ee456 Mon Sep 17 00:00:00 2001 From: dgarcia <> Date: Thu, 7 Sep 2023 19:12:12 +0000 Subject: [PATCH] Update python-GitPython to version 3.1.34.1693646983.2a2ae77 / rev 29 via SR 1109413 https://build.opensuse.org/request/show/1109413 by user dgarcia + anag+factory - Add CVE-2023-41040.patch to fix directory traversal attack vulnerability gh#gitpython-developers/GitPython#1644 bsc#1214810 - Update _service to use manualrun, disabledrun is deprecated now. - Update to version 3.1.34.1693646983.2a2ae77: * prepare patch release * util: close lockfile after opening successfully * update instructions for how to create a release * prepare for next release * Skip now permanently failing test with note on how to fix it * Don't check form of version number * Add a unit test for CVE-2023-40590 * Fix CVE-2023-40590 * feat: full typing for "progress" parameter * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue * Disable merge_includes in config writers * Apply straight-forward typing fixes --- packages/p/python-GitPython/.files | Bin 440 -> 498 bytes packages/p/python-GitPython/.rev | 37 ++++++++++ .../p/python-GitPython/CVE-2023-41040.patch | 53 ++++++++++++++ ...GitPython-3.1.32.1689011721.5d45ce2.tar.xz | 1 - ...GitPython-3.1.34.1693646983.2a2ae77.tar.xz | 1 + packages/p/python-GitPython/_service | 10 +-- packages/p/python-GitPython/_servicedata | 2 +- .../python-GitPython/python-GitPython.changes | 68 ++++++++++++++++++ .../p/python-GitPython/python-GitPython.spec | 6 +- packages/p/python-GitPython/test-skips.patch | 26 ++++--- .../test_blocking_lock_file-extra-time.patch | 6 +- 11 files changed, 190 insertions(+), 20 deletions(-) create mode 100644 packages/p/python-GitPython/CVE-2023-41040.patch delete mode 120000 packages/p/python-GitPython/GitPython-3.1.32.1689011721.5d45ce2.tar.xz create mode 120000 packages/p/python-GitPython/GitPython-3.1.34.1693646983.2a2ae77.tar.xz diff --git a/packages/p/python-GitPython/.files b/packages/p/python-GitPython/.files index 1635bd420e95ee543ec11063d7580bef9f94487a..f9fdb3d79a3f72d2e71e9f926acc47f0311a36a7 100644 GIT binary patch literal 498 zcmZWlJ8K*<5IzWju((L!fXgj|VHZiG(W5pYZK|}#XlCSFY@e4~5gh;eXakofl?L&> z*R7e4!-vD+@M#!52-W~m)ub9NnA|@+L}!I91>aG(4?n+6&N!I7HQvlCH9mDFAqOha z8}^=rQp~Q3BBSM`YoBr7wi%#c;20&5B&^kTV3wE?b@b<^Tbs70W!0GRs|Pxl`hswikGc&b6cPrEIb~x}#5>YJ z7=@iJ>i2Fp*MvfihLOam#oVP0bcRUJ~B1 zjV|-s`!FK*h7@}YUoir!SaCHdBbcH^y585l^|3s^^3!sDJnrwYF3&pYTf5NImKVLQ gVSOZPxcFc&<)EgISuOZdYH&tuSNrnc8r!P;2h@{`=>Px# literal 440 zcmZXQ&uSY%42KP&G%P*zQs{AyC9unA{?8NSnl~_#MzR;X_Tn8%lBe%DkY0L{4*Guj zq;+fN%kZ$-~@FkZQmlTQC?vb8;(uY6iAhyA_obverdAEU`(1t7PRqJ|D*7&kwfIa%4YP?hhv?8rA#v4dr=I@( zX>v2n&dv~XF#yTJ9I6j2c5Zl^U*CsOi;s|`Sa4`SjhI--q#B(PN3lKc@$=-rR#<*R diff --git a/packages/p/python-GitPython/.rev b/packages/p/python-GitPython/.rev index 78b4fad1d8c..7c7e9f92a56 100644 --- a/packages/p/python-GitPython/.rev +++ b/packages/p/python-GitPython/.rev @@ -834,4 +834,41 @@ - Switch to pyproject macros. 1104972 + + 998017f7aaa9ed8cac6576dc739f3819 + 3.1.34.1693646983.2a2ae77 + + anag+factory + - Add CVE-2023-41040.patch to fix directory traversal attack + vulnerability gh#gitpython-developers/GitPython#1644 + bsc#1214810 + +- Update _service to use manualrun, disabledrun is deprecated now. +- Update to version 3.1.34.1693646983.2a2ae77: + * prepare patch release + * util: close lockfile after opening successfully + * update instructions for how to create a release + * prepare for next release + * Skip now permanently failing test with note on how to fix it + * Don't check form of version number + * Add a unit test for CVE-2023-40590 + * Fix CVE-2023-40590 + * feat: full typing for "progress" parameter + * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue + * Disable merge_includes in config writers + * Apply straight-forward typing fixes + * Add missing type annotation + * Run black and exclude submodule + * Allow explicit casting even when slightly redundant + * Ignore remaining [unreachable] type errors + * Define supported version for mypy + * Do not typecheck submodule + * typo + * added more resources section + * generic hash + * redundant code cell + * redundant line + * fixed tabbing + 1109413 + diff --git a/packages/p/python-GitPython/CVE-2023-41040.patch b/packages/p/python-GitPython/CVE-2023-41040.patch new file mode 100644 index 00000000000..e75e5043b28 --- /dev/null +++ b/packages/p/python-GitPython/CVE-2023-41040.patch @@ -0,0 +1,53 @@ +diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py +index 33c3bf15b..5c293aa7b 100644 +--- a/git/refs/symbolic.py ++++ b/git/refs/symbolic.py +@@ -168,6 +168,8 @@ def _get_ref_info_helper( + """Return: (str(sha), str(target_ref_path)) if available, the sha the file at + rela_path points to, or None. target_ref_path is the reference we + point to, or None""" ++ if ".." in str(ref_path): ++ raise ValueError(f"Invalid reference '{ref_path}'") + tokens: Union[None, List[str], Tuple[str, str]] = None + repodir = _git_dir(repo, ref_path) + try: +diff --git a/test/test_refs.py b/test/test_refs.py +index 4c421767e..e7526c3b2 100644 +--- a/test/test_refs.py ++++ b/test/test_refs.py +@@ -5,6 +5,7 @@ + # the BSD License: http://www.opensource.org/licenses/bsd-license.php + + from itertools import chain ++from pathlib import Path + + from git import ( + Reference, +@@ -20,9 +21,11 @@ + from git.objects.tag import TagObject + from test.lib import TestBase, with_rw_repo + from git.util import Actor ++from gitdb.exc import BadName + + import git.refs as refs + import os.path as osp ++import tempfile + + + class TestRefs(TestBase): +@@ -616,3 +619,15 @@ def test_dereference_recursive(self): + + def test_reflog(self): + assert isinstance(self.rorepo.heads.master.log(), RefLog) ++ ++ def test_refs_outside_repo(self): ++ # Create a file containing a valid reference outside the repository. Attempting ++ # to access it should raise an exception, due to it containing a parent directory ++ # reference ('..'). This tests for CVE-2023-41040. ++ git_dir = Path(self.rorepo.git_dir) ++ repo_parent_dir = git_dir.parent.parent ++ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file: ++ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe") ++ ref_file.flush() ++ ref_file_name = Path(ref_file.name).name ++ self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}") diff --git a/packages/p/python-GitPython/GitPython-3.1.32.1689011721.5d45ce2.tar.xz b/packages/p/python-GitPython/GitPython-3.1.32.1689011721.5d45ce2.tar.xz deleted file mode 120000 index 57bd9353c10..00000000000 --- a/packages/p/python-GitPython/GitPython-3.1.32.1689011721.5d45ce2.tar.xz +++ /dev/null @@ -1 +0,0 @@ -/ipfs/bafybeiar4m66up3q5t2mdbpgd4efgg4r34uyx2aq7ustk7hkpre7ibuut4 \ No newline at end of file diff --git a/packages/p/python-GitPython/GitPython-3.1.34.1693646983.2a2ae77.tar.xz b/packages/p/python-GitPython/GitPython-3.1.34.1693646983.2a2ae77.tar.xz new file mode 120000 index 00000000000..0d11fdf5951 --- /dev/null +++ b/packages/p/python-GitPython/GitPython-3.1.34.1693646983.2a2ae77.tar.xz @@ -0,0 +1 @@ +/ipfs/bafybeiabl5bf6rk46budxigfezkphhgfatz47gdiplfndykbenfetlwpbm \ No newline at end of file diff --git a/packages/p/python-GitPython/_service b/packages/p/python-GitPython/_service index 2e3bad5b30e..a94d8287787 100644 --- a/packages/p/python-GitPython/_service +++ b/packages/p/python-GitPython/_service @@ -1,16 +1,16 @@ - - 3.1.32 + + 3.1.34 https://github.com/gitpython-developers/GitPython git yes enable enable - 3.1.32 + 3.1.34 - + xz *.tar - + diff --git a/packages/p/python-GitPython/_servicedata b/packages/p/python-GitPython/_servicedata index 84a09158c56..e503c7d42a4 100644 --- a/packages/p/python-GitPython/_servicedata +++ b/packages/p/python-GitPython/_servicedata @@ -3,4 +3,4 @@ git://github.com/gitpython-developers/GitPython f653af66e4c9461579ec44db50e113facf61e2d3 https://github.com/gitpython-developers/GitPython - 5d45ce243a12669724e969442e6725a894e30fd4 \ No newline at end of file + 2a2ae776825f249a3bb7efd9b08650486226b027 \ No newline at end of file diff --git a/packages/p/python-GitPython/python-GitPython.changes b/packages/p/python-GitPython/python-GitPython.changes index 36ff887acfc..1f57a93dfef 100644 --- a/packages/p/python-GitPython/python-GitPython.changes +++ b/packages/p/python-GitPython/python-GitPython.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Tue Sep 5 08:30:24 UTC 2023 - Daniel Garcia + +- Add CVE-2023-41040.patch to fix directory traversal attack + vulnerability gh#gitpython-developers/GitPython#1644 + bsc#1214810 + +------------------------------------------------------------------- +Tue Sep 05 06:34:12 UTC 2023 - daniel.garcia@suse.com + +- Update _service to use manualrun, disabledrun is deprecated now. +- Update to version 3.1.34.1693646983.2a2ae77: + * prepare patch release + * util: close lockfile after opening successfully + * update instructions for how to create a release + * prepare for next release + * Skip now permanently failing test with note on how to fix it + * Don't check form of version number + * Add a unit test for CVE-2023-40590 + * Fix CVE-2023-40590 + * feat: full typing for "progress" parameter + * Creating a lock now uses python built-in "open()" method to work around docker virtiofs issue + * Disable merge_includes in config writers + * Apply straight-forward typing fixes + * Add missing type annotation + * Run black and exclude submodule + * Allow explicit casting even when slightly redundant + * Ignore remaining [unreachable] type errors + * Define supported version for mypy + * Do not typecheck submodule + * typo + * added more resources section + * generic hash + * redundant code cell + * redundant line + * fixed tabbing + * tabbed all code-blocks + * added new section for diffs and formatting + * formatting wip + * change to formatting - removed = bash cmds + * Added new section to print prev file + * WIP major changes to structure to improve readability + * Removed all reference to source code + * Updated generic sha hash + * Added warning about index add + * Made trees and blobs the first section + * refactored print git tree + * clarified comment + * draft of description + * replaced hash with generic + * replaced output cell to generic commit ID + * removed unnecessary variables + * convert from --all flag to all=True + * correct way to get the latest commit tree + * removed try/except and updated sample url + * Updated the sample repo URL + * Made variable names more intuitive + * try to fix CI by making it deal with tags forcefully. + * Removed code from RST + * added quickstart to toctree to fix sphinx warning + * added quickstart to toctree and fixed sphinx warning + * fixed some indentation + * finished code for quickstart + * finished code for quickstart + * Finishing touches for Repo quickstart + * Added git clone & git add + * Made the init repo section of quickdoc + ------------------------------------------------------------------- Mon Aug 21 04:36:14 UTC 2023 - Steve Kowalik diff --git a/packages/p/python-GitPython/python-GitPython.spec b/packages/p/python-GitPython/python-GitPython.spec index 87e723f1b18..40a3ff3f8bb 100644 --- a/packages/p/python-GitPython/python-GitPython.spec +++ b/packages/p/python-GitPython/python-GitPython.spec @@ -17,10 +17,10 @@ %define skip_python2 1 -%define simple_ver 3.1.32 +%define simple_ver 3.1.34 %{?sle15_python_module_pythons} Name: python-GitPython -Version: 3.1.32.1689011721.5d45ce2 +Version: 3.1.34.1693646983.2a2ae77 Release: 0 Summary: Python Git Library License: BSD-3-Clause @@ -28,6 +28,8 @@ URL: https://github.com/gitpython-developers/GitPython Source: GitPython-%{version}.tar.xz Patch0: test-skips.patch Patch1: test_blocking_lock_file-extra-time.patch +# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644 +Patch2: CVE-2023-41040.patch BuildRequires: %{python_module ddt >= 1.1.1} BuildRequires: %{python_module gitdb >= 4.0.1} BuildRequires: %{python_module pip} diff --git a/packages/p/python-GitPython/test-skips.patch b/packages/p/python-GitPython/test-skips.patch index b50d68995db..30892ffd184 100644 --- a/packages/p/python-GitPython/test-skips.patch +++ b/packages/p/python-GitPython/test-skips.patch @@ -5,8 +5,10 @@ test/test_submodule.py | 19 +++++++++++-------- 4 files changed, 18 insertions(+), 10 deletions(-) ---- a/test/test_base.py -+++ b/test/test_base.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_base.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py @@ -109,7 +109,8 @@ class TestBase(_TestBase): assert osp.isdir(osp.join(rw_repo.working_tree_dir, "lib")) assert osp.isdir(rw_repo.working_dir) @@ -17,8 +19,10 @@ @with_rw_and_rw_remote_repo("0.1.6") def test_with_rw_remote_and_rw_repo(self, rw_repo, rw_remote_repo): assert not rw_repo.config_reader("repository").getboolean("core", "bare") ---- a/test/test_remote.py -+++ b/test/test_remote.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_remote.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py @@ -4,6 +4,7 @@ # This module is part of GitPython and is released under # the BSD License: http://www.opensource.org/licenses/bsd-license.php @@ -45,18 +49,22 @@ def test_fetch_error(self): rem = self.rorepo.remote("origin") with self.assertRaisesRegex(GitCommandError, "[Cc]ouldn't find remote ref __BAD_REF__"): ---- a/test/test_repo.py -+++ b/test/test_repo.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_repo.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py @@ -250,6 +250,7 @@ class TestRepo(TestBase): except UnicodeEncodeError: self.fail("Raised UnicodeEncodeError") + @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'Gitlab connection error') @with_rw_directory + @skip("the referenced repository was removed, and one needs to setup a new password controlled repo under the orgs control") def test_leaking_password_in_clone_logs(self, rw_dir): - password = "fakepassword1234" ---- a/test/test_submodule.py -+++ b/test/test_submodule.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_submodule.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py @@ -453,14 +453,15 @@ class TestSubmodule(TestBase): reason="Cygwin GitPython can't find submodule SHA", raises=ValueError diff --git a/packages/p/python-GitPython/test_blocking_lock_file-extra-time.patch b/packages/p/python-GitPython/test_blocking_lock_file-extra-time.patch index e8977b17d48..8bf65abd7e9 100644 --- a/packages/p/python-GitPython/test_blocking_lock_file-extra-time.patch +++ b/packages/p/python-GitPython/test_blocking_lock_file-extra-time.patch @@ -2,8 +2,10 @@ test/test_util.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) ---- a/test/test_util.py -+++ b/test/test_util.py +Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py +=================================================================== +--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_util.py ++++ GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py @@ -173,9 +173,7 @@ class TestUtils(TestBase): self.assertRaises(IOError, wait_lock._obtain_lock) elapsed = time.time() - start