Fix CVE-2021-29468

Add gcc and gettext to BuildRequires necessary for building and msgfmt command

backport-CVE-2021-29468-cygwin-disallow-backslashes-in-file-names.patch

@@ -0,0 +1,111 @@
+From bccc37fdc7ec66377af454417013f7612aef75e6 Mon Sep 17 00:00:00 2001
+From: Adam Dinwoodie <adam@dinwoodie.org>
+Date: Thu, 29 Apr 2021 21:11:44 +0100
+Subject: [PATCH] cygwin: disallow backslashes in file names
+
+The backslash character is not a valid part of a file name on Windows.
+If, in Windows, Git attempts to write a file that has a backslash
+character in the filename, it will be incorrectly interpreted as a
+directory separator.
+
+This caused CVE-2019-1354 in MinGW, as this behaviour can be manipulated
+to cause the checkout to write to files it ought not write to, such as
+adding code to the .git/hooks directory.  This was fixed by e1d911dd4c
+(mingw: disallow backslash characters in tree objects' file names,
+2019-09-12).  However, the vulnerability also exists in Cygwin: while
+Cygwin mostly provides a POSIX-like path system, it will still interpret
+a backslash as a directory separator.
+
+To avoid this vulnerability, CVE-2021-29468, extend the previous fix to
+also apply to Cygwin.
+
+Similarly, extend the test case added by the previous version of the
+commit.  The test suite doesn't have an easy way to say "run this test
+if in MinGW or Cygwin", so add a new test prerequisite that covers both.
+
+As well as checking behaviour in the presence of paths containing
+backslashes, the existing test also checks behaviour in the presence of
+paths that differ only by the presence of a trailing ".".  MinGW follows
+normal Windows application behaviour and treats them as the same path,
+but Cygwin more closely emulates *nix systems (at the expense of
+compatibility with native Windows applications) and will create and
+distinguish between such paths.  Gate the relevant bit of that test
+accordingly.
+
+Reported-by: RyotaK <security@ryotak.me>
+Helped-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Signed-off-by: Adam Dinwoodie <adam@dinwoodie.org>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ read-cache.c               |  2 +-
+ t/t7415-submodule-names.sh | 13 ++++++++-----
+ t/test-lib.sh              |  2 ++
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/read-cache.c b/read-cache.c
+index 5a907af..b6c13bc 100644
+--- a/read-cache.c
++++ b/read-cache.c
+@@ -985,7 +985,7 @@ int verify_path(const char *path, unsigned mode)
+ 				}
+ 			}
+ 			if (protect_ntfs) {
+-#ifdef GIT_WINDOWS_NATIVE
++#if defined GIT_WINDOWS_NATIVE || defined __CYGWIN__
+ 				if (c == '\\')
+ 					return 0;
+ #endif
+diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
+index f70368b..6bf098a 100755
+--- a/t/t7415-submodule-names.sh
++++ b/t/t7415-submodule-names.sh
+@@ -191,7 +191,7 @@ test_expect_success 'fsck detects corrupt .gitmodules' '
+ 	)
+ '
+ 
+-test_expect_success MINGW 'prevent git~1 squatting on Windows' '
++test_expect_success WINDOWS 'prevent git~1 squatting on Windows' '
+ 	git init squatting &&
+ 	(
+ 		cd squatting &&
+@@ -219,10 +219,13 @@ test_expect_success MINGW 'prevent git~1 squatting on Windows' '
+ 		test_tick &&
+ 		git -c core.protectNTFS=false commit -m "module"
+ 	) &&
+-	test_must_fail git -c core.protectNTFS=false \
+-		clone --recurse-submodules squatting squatting-clone 2>err &&
+-	test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
+-	! grep gitdir squatting-clone/d/a/git~2
++	if test_have_prereq MINGW
++	then
++		test_must_fail git -c core.protectNTFS=false \
++			clone --recurse-submodules squatting squatting-clone 2>err &&
++		test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
++		! grep gitdir squatting-clone/d/a/git~2
++	fi
+ '
+ 
+ test_expect_success 'git dirs of sibling submodules must not be nested' '
+diff --git a/t/test-lib.sh b/t/test-lib.sh
+index d3f6af6..e84b8c8 100644
+--- a/t/test-lib.sh
++++ b/t/test-lib.sh
+@@ -1457,6 +1457,7 @@ case $uname_s in
+ 	test_set_prereq NATIVE_CRLF
+ 	test_set_prereq SED_STRIPS_CR
+ 	test_set_prereq GREP_STRIPS_CR
++	test_set_prereq WINDOWS
+ 	GIT_TEST_CMP=mingw_test_cmp
+ 	;;
+ *CYGWIN*)
+@@ -1465,6 +1466,7 @@ case $uname_s in
+ 	test_set_prereq CYGWIN
+ 	test_set_prereq SED_STRIPS_CR
+ 	test_set_prereq GREP_STRIPS_CR
++	test_set_prereq WINDOWS
+ 	;;
+ *)
+ 	test_set_prereq POSIXPERM
+-- 
+1.8.3.1
+

git.spec

@@ -1,7 +1,7 @@
 %global gitexecdir          %{_libexecdir}/git-core
 Name:       git
 Version:    2.30.0
-Release:    3
+Release:    4
 Summary:    A popular and widely used Version Control System
 License:    GPLv2+ or LGPLv2.1
 URL:        https://git-scm.com/
@@ -13,7 +13,9 @@ Source101:  git@.service.in
 Source102:  git.socket
 
 Patch1:     backport-CVE-2021-21300.patch
+Patch2:     backport-CVE-2021-29468-cygwin-disallow-backslashes-in-file-names.patch
 
+BuildRequires: gcc gettext
 BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre-devel desktop-file-utils
 BuildRequires: python3-devel perl-generators perl-interpreter perl-Error perl(Test::More) perl-MailTools perl(Test) gdb
 Requires:      less zlib openssh-clients perl(Term::ReadKey) perl-Git
@@ -261,6 +263,11 @@ make %{?_smp_mflags} test
 %{_mandir}/man7/git*.7.*
 
 %changelog
+* Fri May 28 2021 panxiaohe <panxiaohe@huawei.com> - 2.30.0-4
+- Fix CVE-2021-29468
+- Add gcc and gettext to BuildRequires
+  - necessary for building and msgfmt command
+
 * Fri Mar 19 2021 fuanan <fuanan3@huawei.com> - 2.30.0-3
 - Optimize compilation time
 
@@ -268,7 +275,7 @@ make %{?_smp_mflags} test
 - Type:CVE
 - ID:NA
 - SUG:NA
-- DESC:CVE-2021-21300
+- DESC:Fix CVE-2021-21300
 
 * Wed Jan 27 2021 wangchen <wangchen137@huawei.com> - 2.30.0-1
 - Type:enhancement