[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#948854: marked as done (buster-pu: package git-lfs/2.7.1-1+deb10u1)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #948854,
regarding buster-pu: package git-lfs/2.7.1-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
948854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948854
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

git-lfs FTBFS in stretch since some security updates were applied to
golang-1.11. #940485
Let's cherry-pick the corresponding fix from sid.

The updated package is already uploaded.


Andreas

diff -Nru git-lfs-2.7.1/debian/changelog git-lfs-2.7.1/debian/changelog
--- git-lfs-2.7.1/debian/changelog	2019-02-27 06:33:53.000000000 +0100
+++ git-lfs-2.7.1/debian/changelog	2020-01-14 00:26:10.000000000 +0100
@@ -1,3 +1,13 @@
+git-lfs (2.7.1-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+
+  [ Stephen Gelman ]
+  * Backport a fix from upstream that fixes FTBFS under Go 1.12.8, 1.11.13
+    (aka 1.11.6-1+deb10u1)  (Closes: #940485)
+
+ -- Andreas Beckmann <anbe@debian.org>  Tue, 14 Jan 2020 00:26:10 +0100
+
 git-lfs (2.7.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch
--- git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch	1970-01-01 01:00:00.000000000 +0100
+++ git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch	2020-01-14 00:26:10.000000000 +0100
@@ -0,0 +1,61 @@
+From f06492430e8f4a37136c746a29cffb7149beae08 Mon Sep 17 00:00:00 2001
+From: "brian m. carlson" <bk2204@github.com>
+Date: Wed, 14 Aug 2019 14:49:48 +0000
+Subject: [PATCH] lfsapi: fix URL parsing with Go 1.12.8
+
+Go 1.12.8 introduces a security fix for parsing URLs that contain a
+colon followed by an invalid port number. Since our SSH remotes can
+contain just such a colon, our hack to make these into URLs no longer
+works.
+
+Fix this by replacing the first colon in these "URLs" with a slash,
+which is a path delimiter, which makes them parsable by newer versions
+of Go. Update the name of the function since it now does more than its
+previous name implies.
+---
+ lfsapi/auth.go | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lfsapi/auth.go b/lfsapi/auth.go
+index 5a99a5b01..1de332e99 100644
+--- a/lfsapi/auth.go
++++ b/lfsapi/auth.go
+@@ -192,7 +192,7 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote string, apiEndpoint l
+ 
+ 	if len(remote) > 0 {
+ 		if u := ef.GitRemoteURL(remote, operation == "upload"); u != "" {
+-			schemedUrl, _ := prependEmptySchemeIfAbsent(u)
++			schemedUrl, _ := fixSchemelessURL(u)
+ 
+ 			gitRemoteURL, err := url.Parse(schemedUrl)
+ 			if err != nil {
+@@ -214,12 +214,13 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote string, apiEndpoint l
+ 	return apiURL, nil
+ }
+ 
+-// prependEmptySchemeIfAbsent prepends an empty scheme "//" if none was found in
+-// the URL in order to satisfy RFC 3986 §3.3, and `net/url.Parse()`.
++// fixSchemelessURL prepends an empty scheme "//" if none was found in
++// the URL and replaces the first colon with a slash in order to satisfy RFC
++// 3986 §3.3, and `net/url.Parse()`.
+ //
+ // It returns a string parse-able with `net/url.Parse()` and a boolean whether
+ // or not an empty scheme was added.
+-func prependEmptySchemeIfAbsent(u string) (string, bool) {
++func fixSchemelessURL(u string) (string, bool) {
+ 	if hasScheme(u) {
+ 		return u, false
+ 	}
+@@ -231,7 +232,11 @@ func prependEmptySchemeIfAbsent(u string) (string, bool) {
+ 		// First path segment has a colon, assumed that it's a
+ 		// scheme-less URL. Append an empty scheme on top to
+ 		// satisfy RFC 3986 §3.3, and `net/url.Parse()`.
+-		return fmt.Sprintf("//%s", u), true
++		//
++		// In addition, replace the first colon with a slash since
++		// otherwise the colon looks like it's introducing a port
++		// number.
++		return fmt.Sprintf("//%s", strings.Replace(u, ":", "/", 1)), true
+ 	}
+ 	return u, true
+ }
diff -Nru git-lfs-2.7.1/debian/patches/series git-lfs-2.7.1/debian/patches/series
--- git-lfs-2.7.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ git-lfs-2.7.1/debian/patches/series	2020-01-14 00:26:10.000000000 +0100
@@ -0,0 +1 @@
+0002-fix-url-parsing.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: