diff -Nru git-2.34.1/debian/changelog git-2.34.1/debian/changelog --- git-2.34.1/debian/changelog 2023-02-08 13:57:45.000000000 +0000 +++ git-2.34.1/debian/changelog 2023-04-26 09:43:33.000000000 +0000 @@ -1,3 +1,27 @@ +git (1:2.34.1-1ubuntu1.9) jammy-security; urgency=medium + + * SECURITY UPDATE: Overwriting path + - debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply + --reject overwriting existing .rej symlink if it exists in apply.c, + t/t4115-apply-symlink.sh. + - CVE-2023-25652 + * SECURITY UPDATE: Malicious placement of crafted messages + - debian/patches/CVE-2023_25652_25815_29007/0024-*patch: + avoid using gettext if the locale dir is not present in + gettext.c. + - CVE-2023-25815 + * SECURITY UPDATE: Arbitrary configuration injection + - debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid + fixed-sized buffer when renaming/deleting a section in config.c, + t/t1300-config.sh. + - debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid + integer truncation in copy_or_rename_section_in_file() in config.c. + - debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow + overly-long lines in copy_or_rename_section_in_file in config.c. + - CVE-2023-29007 + + -- Leonidas Da Silva Barbosa Wed, 26 Apr 2023 06:43:33 -0300 + git (1:2.34.1-1ubuntu1.8) jammy-security; urgency=medium * SECURITY UPDATE: Overwritten path and using diff -Nru git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0022-apply-reject-overwrite-existing-.rej-symlink-if-it-e.patch git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0022-apply-reject-overwrite-existing-.rej-symlink-if-it-e.patch --- git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0022-apply-reject-overwrite-existing-.rej-symlink-if-it-e.patch 1970-01-01 00:00:00.000000000 +0000 +++ git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0022-apply-reject-overwrite-existing-.rej-symlink-if-it-e.patch 2023-04-26 09:42:05.000000000 +0000 @@ -0,0 +1,87 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Thu, 9 Mar 2023 16:02:54 +0100 +Subject: [PATCH 22/28] apply --reject: overwrite existing `.rej` symlink if it + exists + +The `git apply --reject` is expected to write out `.rej` files in case +one or more hunks fail to apply cleanly. Historically, the command +overwrites any existing `.rej` files. The idea being that +apply/reject/edit cycles are relatively common, and the generated `.rej` +files are not considered precious. + +But the command does not overwrite existing `.rej` symbolic links, and +instead follows them. This is unsafe because the same patch could +potentially create such a symbolic link and point at arbitrary paths +outside the current worktree, and `git apply` would write the contents +of the `.rej` file into that location. + +Therefore, let's make sure that any existing `.rej` file or symbolic +link is removed before writing it. + +Reported-by: RyotaK +Helped-by: Taylor Blau +Helped-by: Junio C Hamano +Helped-by: Linus Torvalds +Signed-off-by: Johannes Schindelin +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +Index: git-2.34.1/apply.c +=================================================================== +--- git-2.34.1.orig/apply.c ++++ git-2.34.1/apply.c +@@ -4582,7 +4582,7 @@ static int write_out_one_reject(struct a + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4622,7 +4622,17 @@ static int write_out_one_reject(struct a + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +Index: git-2.34.1/t/t4115-apply-symlink.sh +=================================================================== +--- git-2.34.1.orig/t/t4115-apply-symlink.sh ++++ git-2.34.1/t/t4115-apply-symlink.sh +@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink es + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done diff -Nru git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0023-t1300-demonstrate-failure-when-renaming-sections-wit.patch git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0023-t1300-demonstrate-failure-when-renaming-sections-wit.patch --- git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0023-t1300-demonstrate-failure-when-renaming-sections-wit.patch 1970-01-01 00:00:00.000000000 +0000 +++ git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0023-t1300-demonstrate-failure-when-renaming-sections-wit.patch 2023-04-26 09:42:53.000000000 +0000 @@ -0,0 +1,72 @@ +From 29198213c9163c1d552ee2bdbf78d2b09ccc98b8 Mon Sep 17 00:00:00 2001 +From: Taylor Blau +Date: Thu, 6 Apr 2023 11:42:03 -0400 +Subject: [PATCH 23/28] t1300: demonstrate failure when renaming sections with + long lines + +When renaming a configuration section which has an entry whose length +exceeds the size of our buffer in config.c's implementation of +`git_config_copy_or_rename_section_in_file()`, Git will incorrectly +form a new configuration section with part of the data in the section +being removed. + +In this instance, our first configuration file looks something like: + + [b] + c = d [a] e = f + [a] + g = h + +Here, we have two configuration values, "b.c", and "a.g". The value "[a] +e = f" belongs to the configuration value "b.c", and does not form its +own section. + +However, when renaming the section 'a' to 'xyz', Git will write back +"[xyz]\ne = f", but "[xyz]" is still attached to the value of "b.c", +which is why "e = f" on its own line becomes a new entry called "b.e". + +A slightly different example embeds the section being renamed within +another section. + +Demonstrate this failure in a test in t1300, which we will fix in the +following commit. + +Co-authored-by: Johannes Schindelin +Helped-by: Jeff King +Signed-off-by: Johannes Schindelin +Signed-off-by: Taylor Blau +--- + t/t1300-config.sh | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +Index: git-2.34.1/t/t1300-config.sh +=================================================================== +--- git-2.34.1.orig/t/t1300-config.sh ++++ git-2.34.1/t/t1300-config.sh +@@ -616,6 +616,26 @@ test_expect_success 'renaming to bogus s + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + ++test_expect_failure 'renaming a section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y b.e ++' ++ ++test_expect_failure 'renaming an embedded section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] [foo] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y foo.e ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF diff -Nru git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0024-gettext-avoid-using-gettext-if-the-locale-dir-is-not.patch git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0024-gettext-avoid-using-gettext-if-the-locale-dir-is-not.patch --- git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0024-gettext-avoid-using-gettext-if-the-locale-dir-is-not.patch 1970-01-01 00:00:00.000000000 +0000 +++ git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0024-gettext-avoid-using-gettext-if-the-locale-dir-is-not.patch 2023-04-26 09:41:18.000000000 +0000 @@ -0,0 +1,82 @@ +From c4137be0f5a6edf9a9044e6e43ecf4468c7a4046 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Wed, 22 Feb 2023 12:40:55 +0100 +Subject: [PATCH 24/28] gettext: avoid using gettext if the locale dir is not + present + +In cc5e1bf99247 (gettext: avoid initialization if the locale dir is not +present, 2018-04-21) Git was taught to avoid a costly gettext start-up +when there are not even any localized messages to work with. + +But we still called `gettext()` and `ngettext()` functions. + +Which caused a problem in Git for Windows when the libgettext that is +consumed from the MSYS2 project stopped using a runtime prefix in +https://github.com/msys2/MINGW-packages/pull/10461 + +Due to that change, we now use an unintialized gettext machinery that +might get auto-initialized _using an unintended locale directory_: +`C:\mingw64\share\locale`. + +Let's record the fact when the gettext initialization was skipped, and +skip calling the gettext functions accordingly. + +This addresses CVE-2023-25815. + +Signed-off-by: Johannes Schindelin +Index: git-2.37.2/gettext.c +=================================================================== +--- git-2.37.2.orig/gettext.c ++++ git-2.37.2/gettext.c +@@ -102,6 +102,8 @@ static void init_gettext_charset(const c + setlocale(LC_CTYPE, "C"); + } + ++int git_gettext_enabled = 0; ++ + void git_setup_gettext(void) + { + const char *podir = getenv(GIT_TEXT_DOMAIN_DIR_ENVIRONMENT); +@@ -121,6 +123,8 @@ void git_setup_gettext(void) + init_gettext_charset("git"); + textdomain("git"); + ++ git_gettext_enabled = 1; ++ + free(p); + } + +Index: git-2.37.2/gettext.h +=================================================================== +--- git-2.37.2.orig/gettext.h ++++ git-2.37.2/gettext.h +@@ -29,9 +29,11 @@ + #define FORMAT_PRESERVING(n) __attribute__((format_arg(n))) + + #ifndef NO_GETTEXT ++extern int git_gettext_enabled; + void git_setup_gettext(void); + int gettext_width(const char *s); + #else ++#define git_gettext_enabled (0) + static inline void git_setup_gettext(void) + { + } +@@ -45,12 +47,17 @@ static inline FORMAT_PRESERVING(1) const + { + if (!*msgid) + return ""; ++ if(!git_gettext_enabled) ++ return msgid; + return gettext(msgid); + } + + static inline FORMAT_PRESERVING(1) FORMAT_PRESERVING(2) + const char *Q_(const char *msgid, const char *plu, unsigned long n) + { ++ ++ if(!git_gettext_enabled) ++ return n == 1 ? msgid: plu; + return ngettext(msgid, plu, n); + } + diff -Nru git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0025-config-avoid-fixed-sized-buffer-when-renaming-deleti.patch git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0025-config-avoid-fixed-sized-buffer-when-renaming-deleti.patch --- git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0025-config-avoid-fixed-sized-buffer-when-renaming-deleti.patch 1970-01-01 00:00:00.000000000 +0000 +++ git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0025-config-avoid-fixed-sized-buffer-when-renaming-deleti.patch 2023-04-26 09:43:01.000000000 +0000 @@ -0,0 +1,143 @@ +From a5bb10fd5e74101e7c07da93e7c32bbe60f6173a Mon Sep 17 00:00:00 2001 +From: Taylor Blau +Date: Thu, 6 Apr 2023 14:07:58 -0400 +Subject: [PATCH 25/28] config: avoid fixed-sized buffer when renaming/deleting + a section +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When renaming (or deleting) a section of configuration, Git uses the +function `git_config_copy_or_rename_section_in_file()` to rewrite the +configuration file after applying the rename or deletion to the given +section. + +To do this, Git repeatedly calls `fgets()` to read the existing +configuration data into a fixed size buffer. + +When the configuration value under `old_name` exceeds the size of the +buffer, we will call `fgets()` an additional time even if there is no +newline in the configuration file, since our read length is capped at +`sizeof(buf)`. + +If the first character of the buffer (after zero or more characters +satisfying `isspace()`) is a '[', Git will incorrectly treat it as +beginning a new section when the original section is being removed. In +other words, a configuration value satisfying this criteria can +incorrectly be considered as a new secftion instead of a variable in the +original section. + +Avoid this issue by using a variable-width buffer in the form of a +strbuf rather than a fixed-with region on the stack. A couple of small +points worth noting: + + - Using a strbuf will cause us to allocate arbitrary sizes to match + the length of each line. In practice, we don't expect any + reasonable configuration files to have lines that long, and a + bandaid will be introduced in a later patch to ensure that this is + the case. + + - We are using strbuf_getwholeline() here instead of strbuf_getline() + in order to match `fgets()`'s behavior of leaving the trailing LF + character on the buffer (as well as a trailing NUL). + + This could be changed later, but using strbuf_getwholeline() changes + the least about this function's implementation, so it is picked as + the safest path. + + - It is temping to want to replace the loop to skip over characters + matching isspace() at the beginning of the buffer with a convenience + function like `strbuf_ltrim()`. But this is the wrong approach for a + couple of reasons: + + First, it involves a potentially large and expensive `memmove()` + which we would like to avoid. Second, and more importantly, we also + *do* want to preserve those spaces to avoid changing the output of + other sections. + +In all, this patch is a minimal replacement of the fixed-width buffer in +`git_config_copy_or_rename_section_in_file()` to instead use a `struct +strbuf`. + +Reported-by: André Baptista +Reported-by: Vítor Pinho +Helped-by: Patrick Steinhardt +Co-authored-by: Johannes Schindelin +Signed-off-by: Johannes Schindelin +Signed-off-by: Taylor Blau +--- + config.c | 13 +++++++------ + t/t1300-config.sh | 4 ++-- + 2 files changed, 9 insertions(+), 8 deletions(-) + +Index: git-2.34.1/config.c +=================================================================== +--- git-2.34.1.orig/config.c ++++ git-2.34.1/config.c +@@ -3252,7 +3252,7 @@ static int git_config_copy_or_rename_sec + char *filename_buf = NULL; + struct lock_file lock = LOCK_INIT; + int out_fd; +- char buf[1024]; ++ struct strbuf buf = STRBUF_INIT; + FILE *config_file = NULL; + struct stat st; + struct strbuf copystr = STRBUF_INIT; +@@ -3293,14 +3293,14 @@ static int git_config_copy_or_rename_sec + goto out; + } + +- while (fgets(buf, sizeof(buf), config_file)) { ++ while (!strbuf_getwholeline(&buf, config_file, '\n')) { + unsigned i; + int length; + int is_section = 0; +- char *output = buf; +- for (i = 0; buf[i] && isspace(buf[i]); i++) ++ char *output = buf.buf; ++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ +- if (buf[i] == '[') { ++ if (buf.buf[i] == '[') { + /* it's a section */ + int offset; + is_section = 1; +@@ -3319,7 +3319,7 @@ static int git_config_copy_or_rename_sec + strbuf_reset(©str); + } + +- offset = section_name_match(&buf[i], old_name); ++ offset = section_name_match(&buf.buf[i], old_name); + if (offset > 0) { + ret++; + if (new_name == NULL) { +@@ -3394,6 +3394,7 @@ out: + out_no_rollback: + free(filename_buf); + config_store_data_clear(&store); ++ strbuf_release(&buf); + return ret; + } + +Index: git-2.34.1/t/t1300-config.sh +=================================================================== +--- git-2.34.1.orig/t/t1300-config.sh ++++ git-2.34.1/t/t1300-config.sh +@@ -616,7 +616,7 @@ test_expect_success 'renaming to bogus s + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + +-test_expect_failure 'renaming a section with a long line' ' ++test_expect_success 'renaming a section with a long line' ' + { + printf "[b]\\n" && + printf " c = d %1024s [a] e = f\\n" " " && +@@ -626,7 +626,7 @@ test_expect_failure 'renaming a section + test_must_fail git config -f y b.e + ' + +-test_expect_failure 'renaming an embedded section with a long line' ' ++test_expect_success 'renaming an embedded section with a long line' ' + { + printf "[b]\\n" && + printf " c = d %1024s [a] [foo] e = f\\n" " " && diff -Nru git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0026-config.c-avoid-integer-truncation-in-copy_or_rename_.patch git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0026-config.c-avoid-integer-truncation-in-copy_or_rename_.patch --- git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0026-config.c-avoid-integer-truncation-in-copy_or_rename_.patch 1970-01-01 00:00:00.000000000 +0000 +++ git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0026-config.c-avoid-integer-truncation-in-copy_or_rename_.patch 2023-04-26 09:43:11.000000000 +0000 @@ -0,0 +1,62 @@ +From e91cfe6085c4a61372d1f800b473b73b8d225d0d Mon Sep 17 00:00:00 2001 +From: Taylor Blau +Date: Thu, 6 Apr 2023 14:28:53 -0400 +Subject: [PATCH 26/28] config.c: avoid integer truncation in + `copy_or_rename_section_in_file()` + +There are a couple of spots within `copy_or_rename_section_in_file()` +that incorrectly use an `int` to track an offset within a string, which +may truncate or wrap around to a negative value. + +Historically it was impossible to have a line longer than 1024 bytes +anyway, since we used fgets() with a fixed-size buffer of exactly that +length. But the recent change to use a strbuf permits us to read lines +of arbitrary length, so it's possible for a malicious input to cause us +to overflow past INT_MAX and do an out-of-bounds array read. + +Practically speaking, however, this should never happen, since it +requires 2GB section names or values, which are unrealistic in +non-malicious circumstances. + +Co-authored-by: Jeff King +Signed-off-by: Jeff King +Signed-off-by: Taylor Blau +--- + config.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +Index: git-2.34.1/config.c +=================================================================== +--- git-2.34.1.orig/config.c ++++ git-2.34.1/config.c +@@ -3188,9 +3188,10 @@ void git_config_set_multivar(const char + flags); + } + +-static int section_name_match (const char *buf, const char *name) ++static size_t section_name_match (const char *buf, const char *name) + { +- int i = 0, j = 0, dot = 0; ++ size_t i = 0, j = 0; ++ int dot = 0; + if (buf[i] != '[') + return 0; + for (i = 1; buf[i] && buf[i] != ']'; i++) { +@@ -3294,15 +3295,14 @@ static int git_config_copy_or_rename_sec + } + + while (!strbuf_getwholeline(&buf, config_file, '\n')) { +- unsigned i; +- int length; ++ size_t i, length; + int is_section = 0; + char *output = buf.buf; + for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ + if (buf.buf[i] == '[') { + /* it's a section */ +- int offset; ++ size_t offset; + is_section = 1; + + /* diff -Nru git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0027-config.c-disallow-overly-long-lines-in-copy_or_renam.patch git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0027-config.c-disallow-overly-long-lines-in-copy_or_renam.patch --- git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0027-config.c-disallow-overly-long-lines-in-copy_or_renam.patch 1970-01-01 00:00:00.000000000 +0000 +++ git-2.34.1/debian/patches/CVE-2023_25652_25815_29007/0027-config.c-disallow-overly-long-lines-in-copy_or_renam.patch 2023-04-26 09:43:21.000000000 +0000 @@ -0,0 +1,76 @@ +From 3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a Mon Sep 17 00:00:00 2001 +From: Taylor Blau +Date: Wed, 12 Apr 2023 19:18:28 -0400 +Subject: [PATCH 27/28] config.c: disallow overly-long lines in + `copy_or_rename_section_in_file()` + +As a defense-in-depth measure to guard against any potentially-unknown +buffer overflows in `copy_or_rename_section_in_file()`, refuse to work +with overly-long lines in a gitconfig. + +Signed-off-by: Taylor Blau +Signed-off-by: Johannes Schindelin +--- + config.c | 13 +++++++++++++ + t/t1300-config.sh | 10 ++++++++++ + 2 files changed, 23 insertions(+) + +Index: git-2.34.1/config.c +=================================================================== +--- git-2.34.1.orig/config.c ++++ git-2.34.1/config.c +@@ -3244,6 +3244,8 @@ static int section_name_is_ok(const char + return 1; + } + ++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) ++ + /* if new_name == NULL, the section is removed instead */ + static int git_config_copy_or_rename_section_in_file(const char *config_filename, + const char *old_name, +@@ -3258,6 +3260,7 @@ static int git_config_copy_or_rename_sec + struct stat st; + struct strbuf copystr = STRBUF_INIT; + struct config_store_data store; ++ uint32_t line_nr = 0; + + memset(&store, 0, sizeof(store)); + +@@ -3298,6 +3301,16 @@ static int git_config_copy_or_rename_sec + size_t i, length; + int is_section = 0; + char *output = buf.buf; ++ ++ line_nr++; ++ ++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { ++ ret = error(_("refusing to work with overly long line " ++ "in '%s' on line %"PRIuMAX), ++ config_filename, (uintmax_t)line_nr); ++ goto out; ++ } ++ + for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ + if (buf.buf[i] == '[') { +Index: git-2.34.1/t/t1300-config.sh +=================================================================== +--- git-2.34.1.orig/t/t1300-config.sh ++++ git-2.34.1/t/t1300-config.sh +@@ -636,6 +636,16 @@ test_expect_success 'renaming an embedde + test_must_fail git config -f y foo.e + ' + ++test_expect_success 'renaming a section with an overly-long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %525000s e" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ test_must_fail git config -f y --rename-section a xyz 2>err && ++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF diff -Nru git-2.34.1/debian/patches/series git-2.34.1/debian/patches/series --- git-2.34.1/debian/patches/series 2023-02-08 13:57:45.000000000 +0000 +++ git-2.34.1/debian/patches/series 2023-04-26 09:41:58.000000000 +0000 @@ -54,3 +54,9 @@ CVE_2023-22490_and_23946/0004-clone-delay-picking-a-transport-until-after-get_repo.patch CVE_2023-22490_and_23946/0005-dir-iterator-prevent-top-level-symlinks-without-FOLL.patch CVE_2023-22490_and_23946/0006-apply-fix-writing-behind-newly-created-symbolic-link.patch +CVE-2023_25652_25815_29007/0022-apply-reject-overwrite-existing-.rej-symlink-if-it-e.patch +CVE-2023_25652_25815_29007/0023-t1300-demonstrate-failure-when-renaming-sections-wit.patch +CVE-2023_25652_25815_29007/0024-gettext-avoid-using-gettext-if-the-locale-dir-is-not.patch +CVE-2023_25652_25815_29007/0025-config-avoid-fixed-sized-buffer-when-renaming-deleti.patch +CVE-2023_25652_25815_29007/0026-config.c-avoid-integer-truncation-in-copy_or_rename_.patch +CVE-2023_25652_25815_29007/0027-config.c-disallow-overly-long-lines-in-copy_or_renam.patch