CVS commit: [pkgsrc-2018Q1] pkgsrc/devel

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Jun  8 10:39:05 UTC 2018

Modified Files:
        pkgsrc/devel/git [pkgsrc-2018Q1]: Makefile.version
        pkgsrc/devel/git-base [pkgsrc-2018Q1]: distinfo

Log Message:
Pullup ticket #5769 - requested by leot
devel/git: security fix

This was submitted as a manual patch.

---
   git: Update devel/git to 2.16.4

   Changes:
   Git v2.16.4 Release Notes
   =========================
   This release is to forward-port the fixes made in the v2.13.7 version
   of Git.  See its release notes for details.

   [...2.13.7 release notes...:]

    * Submodule "names" come from the untrusted .gitmodules file, but we
      blindly append them to $GIT_DIR/modules to create our on-disk repo
      paths. This means you can do bad things by putting "../" into the
      name. We now enforce some rules for submodule names which will cause
      Git to ignore these malicious names (CVE-2018-11235).

      Credit for finding this vulnerability and the proof of concept from
      which the test script was adapted goes to Etienne Stalmans.

    * It was possible to trick the code that sanity-checks paths on NTFS
      into reading random piece of memory (CVE-2018-11233).

   Credit for fixing for these bugs goes to Jeff King, Johannes
   Schindelin and others.


To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.69.2.1 pkgsrc/devel/git/Makefile.version
cvs rdiff -u -r1.78 -r1.78.2.1 pkgsrc/devel/git-base/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/git/Makefile.version
diff -u pkgsrc/devel/git/Makefile.version:1.69 pkgsrc/devel/git/Makefile.version:1.69.2.1
--- pkgsrc/devel/git/Makefile.version:1.69      Sat Mar 24 08:09:40 2018
+++ pkgsrc/devel/git/Makefile.version   Fri Jun  8 10:39:05 2018
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.69 2018/03/24 08:09:40 adam Exp $
+# $NetBSD: Makefile.version,v 1.69.2.1 2018/06/08 10:39:05 bsiegert Exp $
 #
 # used by devel/git/Makefile.common
 # used by devel/git-cvs/Makefile
 # used by devel/git-svn/Makefile
 
-GIT_VERSION=   2.16.3
+GIT_VERSION=   2.16.4

Index: pkgsrc/devel/git-base/distinfo
diff -u pkgsrc/devel/git-base/distinfo:1.78 pkgsrc/devel/git-base/distinfo:1.78.2.1
--- pkgsrc/devel/git-base/distinfo:1.78 Sat Mar 24 08:09:40 2018
+++ pkgsrc/devel/git-base/distinfo      Fri Jun  8 10:39:05 2018
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.78 2018/03/24 08:09:40 adam Exp $
+$NetBSD: distinfo,v 1.78.2.1 2018/06/08 10:39:05 bsiegert Exp $
 
-SHA1 (git-2.16.3.tar.xz) = e54fbd04232e8b949764b414c46aea73cca16af0
-RMD160 (git-2.16.3.tar.xz) = 65229a65b041dc7cf0ee028b79f60f0eb424c1db
-SHA512 (git-2.16.3.tar.xz) = 73520cf3500b2d13b77eb1e5ec0d60263aad07732d25631732f0d986abd023f97b8a6db4abff64d342cb053018289b5f7a3e32f10b86bd9092a37ee0585adc8a
-Size (git-2.16.3.tar.xz) = 4966248 bytes
+SHA1 (git-2.16.4.tar.xz) = de89995ea1551755f41ca621a375b6ad42264421
+RMD160 (git-2.16.4.tar.xz) = aa3c1ec4090d0c4d75946ad5b49cd2fd530fe1b0
+SHA512 (git-2.16.4.tar.xz) = f54e431e78289349dcb927ec34873dfb801c49a41cbb3d0138346d603af26bd7d86f9ac95e7a61a4831017f3503f33374510ccf68b0e62b0691fc5a43283f1ac
+Size (git-2.16.4.tar.xz) = 4968252 bytes
 SHA1 (patch-aa) = a58f3c2f45c1fbafd751d10b9ef34e6c9afc2c6f
 SHA1 (patch-ac) = e5d2112d158fe493a89b244a10d2e4b998a23d98
 SHA1 (patch-ae) = 9bc2e6c7f0a8fbc385b6ffda638d3245a62dc5ca