Source: git-remote-hg Version: 1.0.3.2~ds-2 Severity: serious X-Debbugs-CC: git@packages.debian.org Tags: sid bookworm User: debian-ci@lists.debian.org Usertags: needs-update Control: affects -1 src:git Dear maintainer(s),With a recent upload of git the autopkgtest of git-remote-hg fails in testing when that autopkgtest is run with the binary packages of git from unstable. It passes when run with only packages from testing. In tabular form:
pass fail
git from testing 1:2.38.1-1
git-remote-hg from testing 1.0.3.2~ds-2
all others from testing from testing
I copied some of the output at the bottom of this report. This is due to """
* Addresses the security issue CVE-2022-39253: cloning an
attacker-controlled local repository could store arbitrary files
in the ".git" directory of the destination repository.
"""
This has a nice write up:
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html
Currently this regression is blocking the migration of git to testing
[1]. Of course, git shouldn't just break your autopkgtest (or even
worse, your package), but it seems to me that the change in git was
intended and your package needs to update to the new situation.
If this is a real problem in your package (and not only in your autopkgtest), the right binary package(s) from git should really add a versioned Breaks on the unfixed version of (one of your) package(s). Note: the Breaks is nice even if the issue is only in the autopkgtest as it helps the migration software to figure out the right versions to combine in the tests.
More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [1] https://qa.debian.org/excuses.php?package=git https://ci.debian.net/data/autopkgtest/testing/amd64/g/git-remote-hg/28079228/log.gzInitialized empty Git repository in /tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/sub/.git/
[master (root-commit) be983cd] init Author: A U Thor <author@example.com> 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 emptyInitialized empty Git repository in /tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/gitrepo/.git/ Cloning into '/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/gitrepo/sub'...
fatal: transport 'file' not allowedfatal: clone of '/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/sub' into submodule path '/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/gitrepo/sub' failed
not ok 52 - push with submodule
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature