!39 Fix CVE-2021-29468 and add gcc and gettext to BuildRequires

From: @panxh_purple
Reviewed-by: @openeuler-basic
Signed-off-by: @openeuler-basic

backport-CVE-2021-29468-cygwin-disallow-backslashes-in-file-names.patch

@@ -0,0 +1,111 @@
+From bccc37fdc7ec66377af454417013f7612aef75e6 Mon Sep 17 00:00:00 2001
+From: Adam Dinwoodie <adam@dinwoodie.org>
+Date: Thu, 29 Apr 2021 21:11:44 +0100
+Subject: [PATCH] cygwin: disallow backslashes in file names
+
+The backslash character is not a valid part of a file name on Windows.
+If, in Windows, Git attempts to write a file that has a backslash
+character in the filename, it will be incorrectly interpreted as a
+directory separator.
+
+This caused CVE-2019-1354 in MinGW, as this behaviour can be manipulated
+to cause the checkout to write to files it ought not write to, such as
+adding code to the .git/hooks directory.  This was fixed by e1d911dd4c
+(mingw: disallow backslash characters in tree objects' file names,
+2019-09-12).  However, the vulnerability also exists in Cygwin: while
+Cygwin mostly provides a POSIX-like path system, it will still interpret
+a backslash as a directory separator.
+
+To avoid this vulnerability, CVE-2021-29468, extend the previous fix to
+also apply to Cygwin.
+
+Similarly, extend the test case added by the previous version of the
+commit.  The test suite doesn't have an easy way to say "run this test
+if in MinGW or Cygwin", so add a new test prerequisite that covers both.
+
+As well as checking behaviour in the presence of paths containing
+backslashes, the existing test also checks behaviour in the presence of
+paths that differ only by the presence of a trailing ".".  MinGW follows
+normal Windows application behaviour and treats them as the same path,
+but Cygwin more closely emulates *nix systems (at the expense of
+compatibility with native Windows applications) and will create and
+distinguish between such paths.  Gate the relevant bit of that test
+accordingly.
+
+Reported-by: RyotaK <security@ryotak.me>
+Helped-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Signed-off-by: Adam Dinwoodie <adam@dinwoodie.org>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ read-cache.c               |  2 +-
+ t/t7415-submodule-names.sh | 13 ++++++++-----
+ t/test-lib.sh              |  2 ++
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/read-cache.c b/read-cache.c
+index 5a907af..b6c13bc 100644
+--- a/read-cache.c
++++ b/read-cache.c
+@@ -985,7 +985,7 @@ int verify_path(const char *path, unsigned mode)
+ 				}
+ 			}
+ 			if (protect_ntfs) {
+-#ifdef GIT_WINDOWS_NATIVE
++#if defined GIT_WINDOWS_NATIVE || defined __CYGWIN__
+ 				if (c == '\\')
+ 					return 0;
+ #endif
+diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
+index f70368b..6bf098a 100755
+--- a/t/t7415-submodule-names.sh
++++ b/t/t7415-submodule-names.sh
+@@ -191,7 +191,7 @@ test_expect_success 'fsck detects corrupt .gitmodules' '
+ 	)
+ '
+ 
+-test_expect_success MINGW 'prevent git~1 squatting on Windows' '
++test_expect_success WINDOWS 'prevent git~1 squatting on Windows' '
+ 	git init squatting &&
+ 	(
+ 		cd squatting &&
+@@ -219,10 +219,13 @@ test_expect_success MINGW 'prevent git~1 squatting on Windows' '
+ 		test_tick &&
+ 		git -c core.protectNTFS=false commit -m "module"
+ 	) &&
+-	test_must_fail git -c core.protectNTFS=false \
+-		clone --recurse-submodules squatting squatting-clone 2>err &&
+-	test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
+-	! grep gitdir squatting-clone/d/a/git~2
++	if test_have_prereq MINGW
++	then
++		test_must_fail git -c core.protectNTFS=false \
++			clone --recurse-submodules squatting squatting-clone 2>err &&
++		test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
++		! grep gitdir squatting-clone/d/a/git~2
++	fi
+ '
+ 
+ test_expect_success 'git dirs of sibling submodules must not be nested' '
+diff --git a/t/test-lib.sh b/t/test-lib.sh
+index d3f6af6..e84b8c8 100644
+--- a/t/test-lib.sh
++++ b/t/test-lib.sh
+@@ -1457,6 +1457,7 @@ case $uname_s in
+ 	test_set_prereq NATIVE_CRLF
+ 	test_set_prereq SED_STRIPS_CR
+ 	test_set_prereq GREP_STRIPS_CR
++	test_set_prereq WINDOWS
+ 	GIT_TEST_CMP=mingw_test_cmp
+ 	;;
+ *CYGWIN*)
+@@ -1465,6 +1466,7 @@ case $uname_s in
+ 	test_set_prereq CYGWIN
+ 	test_set_prereq SED_STRIPS_CR
+ 	test_set_prereq GREP_STRIPS_CR
++	test_set_prereq WINDOWS
+ 	;;
+ *)
+ 	test_set_prereq POSIXPERM
+-- 
+1.8.3.1
+

backport-t4210-detect-REG_ILLSEQ-dynamically-and-skip-affecte.patch

@@ -0,0 +1,168 @@
+From c4c2a96ec73775b1a4d4d850bb9ae7f50bc6912e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Carlo=20Marcelo=20Arenas=20Bel=C3=B3n?= <carenas@gmail.com>
+Date: Mon, 18 May 2020 11:44:16 -0700
+Subject: [PATCH] t4210: detect REG_ILLSEQ dynamically and skip affected tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+7187c7bbb8 (t4210: skip i18n tests that don't work on FreeBSD, 2019-11-27)
+adds a REG_ILLSEQ prerequisite, and to do that copies the common branch in
+test-lib and expands it to include it in a special case for FreeBSD.
+
+Instead; test for it using a previously added extension to test-tool and
+use that, together with a function that identifies when regcomp/regexec
+will be called with broken patterns to avoid any test that would otherwise
+rely on undefined behaviour.
+
+The description of the first test which wasn't accurate has been corrected,
+and the test rearranged for clarity, including a helper function that avoids
+overly long lines.
+
+Only the affected engines will have their tests suppressed, also including
+"fixed" if the PCRE optimization that uses LIBPCRE2 since b65abcafc7
+(grep: use PCRE v2 for optimized fixed-string search, 2019-07-01) is not
+available.
+
+Helped-by: Eric Sunshine <sunshine@sunshineco.com>
+Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ t/t4210-log-i18n.sh | 77 ++++++++++++++++++++++++++++++++++++++++-------------
+ t/test-lib.sh       |  6 -----
+ 2 files changed, 59 insertions(+), 24 deletions(-)
+
+diff --git a/t/t4210-log-i18n.sh b/t/t4210-log-i18n.sh
+index c379208..d2dfcf1 100755
+--- a/t/t4210-log-i18n.sh
++++ b/t/t4210-log-i18n.sh
+@@ -10,6 +10,13 @@ latin1_e=$(printf '\351')
+ # invalid UTF-8
+ invalid_e=$(printf '\303\50)') # ")" at end to close opening "("
+ 
++have_reg_illseq=
++if test_have_prereq GETTEXT_LOCALE &&
++	! LC_ALL=$is_IS_locale test-tool regex --silent $latin1_e
++then
++	have_reg_illseq=1
++fi
++
+ test_expect_success 'create commits in different encodings' '
+ 	test_tick &&
+ 	cat >msg <<-EOF &&
+@@ -51,43 +58,77 @@ test_expect_success !MINGW 'log --grep does not find non-reencoded values (utf8)
+ 	test_must_be_empty actual
+ '
+ 
+-test_expect_success !MINGW 'log --grep does not find non-reencoded values (latin1)' '
++test_expect_success 'log --grep does not find non-reencoded values (latin1)' '
+ 	git log --encoding=ISO-8859-1 --format=%s --grep=$utf8_e >actual &&
+ 	test_must_be_empty actual
+ '
+ 
++triggers_undefined_behaviour () {
++	local engine=$1
++
++	case $engine in
++	fixed)
++		if test -n "$have_reg_illseq" &&
++			! test_have_prereq LIBPCRE2
++		then
++			return 0
++		fi
++		;;
++	basic|extended)
++		if test -n "$have_reg_illseq"
++		then
++			return 0
++		fi
++		;;
++	esac
++	return 1
++}
++
++mismatched_git_log () {
++	local pattern=$1
++
++	LC_ALL=$is_IS_locale git log --encoding=ISO-8859-1 --format=%s \
++		--grep=$pattern
++}
++
+ for engine in fixed basic extended perl
+ do
+ 	prereq=
+ 	if test $engine = "perl"
+ 	then
+-		prereq="PCRE"
+-	else
+-		prereq=""
++		prereq=PCRE
+ 	fi
+ 	force_regex=
+ 	if test $engine != "fixed"
+ 	then
+-	    force_regex=.*
++		force_regex='.*'
+ 	fi
+-	test_expect_success !MINGW,!REGEX_ILLSEQ,GETTEXT_LOCALE,$prereq "-c grep.patternType=$engine log --grep does not find non-reencoded values (latin1 + locale)" "
+-		cat >expect <<-\EOF &&
+-		latin1
+-		utf8
+-		EOF
+-		LC_ALL=\"$is_IS_locale\" git -c grep.patternType=$engine log --encoding=ISO-8859-1 --format=%s --grep=\"$force_regex$latin1_e\" >actual &&
+-		test_cmp expect actual
+-	"
+ 
+-	test_expect_success !MINGW,GETTEXT_LOCALE,$prereq "-c grep.patternType=$engine log --grep does not find non-reencoded values (latin1 + locale)" "
+-		LC_ALL=\"$is_IS_locale\" git -c grep.patternType=$engine log --encoding=ISO-8859-1 --format=%s --grep=\"$force_regex$utf8_e\" >actual &&
+-		test_must_be_empty actual
++	test_expect_success $prereq "config grep.patternType=$engine" "
++		git config grep.patternType $engine
+ 	"
+ 
+-	test_expect_success !MINGW,!REGEX_ILLSEQ,GETTEXT_LOCALE,$prereq "-c grep.patternType=$engine log --grep does not die on invalid UTF-8 value (latin1 + locale + invalid needle)" "
+-		LC_ALL=\"$is_IS_locale\" git -c grep.patternType=$engine log --encoding=ISO-8859-1 --format=%s --grep=\"$force_regex$invalid_e\" >actual &&
++	test_expect_success GETTEXT_LOCALE,$prereq "log --grep does not find non-reencoded values (latin1 + locale)" "
++		mismatched_git_log '$force_regex$utf8_e' >actual &&
+ 		test_must_be_empty actual
+ 	"
++
++	if ! triggers_undefined_behaviour $engine
++	then
++		test_expect_success !MINGW,GETTEXT_LOCALE,$prereq "log --grep searches in log output encoding (latin1 + locale)" "
++			cat >expect <<-\EOF &&
++			latin1
++			utf8
++			EOF
++			mismatched_git_log '$force_regex$latin1_e' >actual &&
++			test_cmp expect actual
++		"
++
++		test_expect_success GETTEXT_LOCALE,$prereq "log --grep does not die on invalid UTF-8 value (latin1 + locale + invalid needle)" "
++			mismatched_git_log '$force_regex$invalid_e' >actual &&
++			test_must_be_empty actual
++		"
++	fi
+ done
+ 
+ test_done
+diff --git a/t/test-lib.sh b/t/test-lib.sh
+index 0ea1e5a..81473fe 100644
+--- a/t/test-lib.sh
++++ b/t/test-lib.sh
+@@ -1454,12 +1454,6 @@ case $uname_s in
+ 	test_set_prereq SED_STRIPS_CR
+ 	test_set_prereq GREP_STRIPS_CR
+ 	;;
+-FreeBSD)
+-	test_set_prereq REGEX_ILLSEQ
+-	test_set_prereq POSIXPERM
+-	test_set_prereq BSLASHPSPEC
+-	test_set_prereq EXECKEEPSPID
+-	;;
+ *)
+ 	test_set_prereq POSIXPERM
+ 	test_set_prereq BSLASHPSPEC
+-- 
+1.8.3.1
+

git.spec

@@ -1,7 +1,7 @@
 %global gitexecdir          %{_libexecdir}/git-core
 Name:       git
 Version:    2.27.0
-Release:    3
+Release:    4
 Summary:    A popular and widely used Version Control System
 License:    GPLv2+ or LGPLv2.1
 URL:        https://git-scm.com/
@@ -12,8 +12,11 @@ Source100:  git-gui.desktop
 Source101:  git@.service.in
 Source102:  git.socket
 
-Patch1:	    backport-CVE-2021-21300.patch
+Patch1:     backport-CVE-2021-21300.patch
+Patch2:     backport-t4210-detect-REG_ILLSEQ-dynamically-and-skip-affecte.patch
+Patch3:     backport-CVE-2021-29468-cygwin-disallow-backslashes-in-file-names.patch
 
+BuildRequires: gcc gettext
 BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre-devel desktop-file-utils
 BuildRequires: python3-devel perl-generators perl-interpreter perl-Error perl(Test::More) perl-MailTools perl(Test) gdb
 Requires:      less zlib openssh-clients perl(Term::ReadKey) perl-Git
@@ -261,11 +264,16 @@ make test
 %{_mandir}/man7/git*.7.*
 
 %changelog
+* Fri May 28 2021 panxiaohe <panxiaohe@huawei.com> - 2.27.0-4
+- Fix CVE-2021-29468
+- Add gcc and gettext to BuildRequires
+  - necessary for building and msgfmt command
+
 * Thu Mar 18 2021 lirui <lirui130@huawei.com> - 2.27.0-3
 - Type:CVE
 - ID:NA
 - SUG:NA
-- DESC:CVE-2021-21300
+- DESC:Fix CVE-2021-21300
 
 * Fri Sep 25 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.27.0-2
 - Type:bugfix