Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu [ Reason ]I would like to upload powerline-gitstatus to stable to fix CVE-2022-42906. I have consulted with the security team and they suggested we make the fix available via the next point release.
[ Impact ]powerline-gitstatus/1.3.1 and earlier versions are susceptible to code execution via malicious repository. Note that the malicious repository must be obtained other than by "git clone".
[ Tests ] The package has no autopkgtests. It has been tested manually. [ Risks ] The changeset between 1.3.1 and 1.3.2 is small. The risk is low that a new bug or security issue is introduced. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ]The fix for CVE-2022-42906 is straightforward: it simply appends the argument "-C core.fsmonitor=" to the git command. Aside from that, a simple program option was added (untracked_not_dirty) and the README is updated.
[Other info] As I expect a positive response, I will be uploading the package shortly. -- Jerome
diff -Nru powerline-gitstatus-1.3.1/debian/changelog powerline-gitstatus-1.3.2/debian/changelog
--- powerline-gitstatus-1.3.1/debian/changelog 2020-07-08 16:17:05.000000000 -0400
+++ powerline-gitstatus-1.3.2/debian/changelog 2022-10-26 22:54:03.000000000 -0400
@@ -1,3 +1,10 @@
+powerline-gitstatus (1.3.2-1+deb11u1) bullseye; urgency=medium
+
+ * New upstream version 1.3.2
+ - Fix command injection via malicious repository config (CVE-2022-42906)
+
+ -- Jérôme Charaoui <jerome@riseup.net> Wed, 26 Oct 2022 22:54:03 -0400
+
powerline-gitstatus (1.3.1-2) unstable; urgency=medium
[ Jann Haber ]
diff -Nru powerline-gitstatus-1.3.1/powerline_gitstatus/segments.py powerline-gitstatus-1.3.2/powerline_gitstatus/segments.py
--- powerline-gitstatus-1.3.1/powerline_gitstatus/segments.py 2019-01-11 08:50:57.000000000 -0500
+++ powerline-gitstatus-1.3.2/powerline_gitstatus/segments.py 2022-10-09 08:58:20.000000000 -0400
@@ -11,9 +11,9 @@
def execute(self, pl, command):
pl.debug('Executing command: %s' % ' '.join(command))
-
+
git_env = os.environ.copy()
- git_env['LC_ALL'] = 'C'
+ git_env['LC_ALL'] = 'C'
proc = Popen(command, stdout=PIPE, stderr=PIPE, env=git_env)
out, err = [item.decode('utf-8') for item in proc.communicate()]
@@ -27,13 +27,13 @@
def get_base_command(self, cwd, use_dash_c):
if use_dash_c:
- return ['git', '-C', cwd]
+ return ['git', '-c', 'core.fsmonitor=', '-C', cwd]
while cwd and cwd != os.sep:
gitdir = os.path.join(cwd, '.git')
if os.path.isdir(gitdir):
- return ['git', '--git-dir=%s' % gitdir, '--work-tree=%s' % cwd]
+ return ['git', '-c', 'core.fsmonitor=', '--git-dir=%s' % gitdir, '--work-tree=%s' % cwd]
cwd = os.path.dirname(cwd)
@@ -80,10 +80,10 @@
return (staged, unmerged, changed, untracked)
- def build_segments(self, formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed):
+ def build_segments(self, formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed, untracked_not_dirty):
if detached:
branch_group = 'gitstatus_branch_detached'
- elif staged or unmerged or changed or untracked:
+ elif staged or unmerged or changed or (untracked and not untracked_not_dirty):
branch_group = 'gitstatus_branch_dirty'
else:
branch_group = 'gitstatus_branch_clean'
@@ -111,7 +111,7 @@
return segments
- def __call__(self, pl, segment_info, use_dash_c=True, show_tag=False, formats={}, detached_head_style='revision'):
+ def __call__(self, pl, segment_info, use_dash_c=True, show_tag=False, formats={}, detached_head_style='revision', untracked_not_dirty=False):
pl.debug('Running gitstatus %s -C' % ('with' if use_dash_c else 'without'))
cwd = segment_info['getcwd']()
@@ -160,7 +160,7 @@
else:
tag = tag[0]
- return self.build_segments(formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed)
+ return self.build_segments(formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed, untracked_not_dirty)
gitstatus = with_docstring(GitStatusSegment(),
@@ -189,6 +189,10 @@
Display style when in detached HEAD state. Valid values are ``revision``, which shows the current revision id, and ``ref``, which shows the closest reachable ref object.
The default is ``revision``.
+:param untracked_not_dirty:
+ Untracked files alone will not mark the git branch status as dirty.
+ False by default.
+
Divider highlight group used: ``gitstatus:divider``.
Highlight groups used: ``gitstatus_branch_detached``, ``gitstatus_branch_dirty``, ``gitstatus_branch_clean``, ``gitstatus_branch``, ``gitstatus_tag``, ``gitstatus_behind``, ``gitstatus_ahead``, ``gitstatus_staged``, ``gitstatus_unmerged``, ``gitstatus_changed``, ``gitstatus_untracked``, ``gitstatus_stashed``, ``gitstatus``.
diff -Nru powerline-gitstatus-1.3.1/README.md powerline-gitstatus-1.3.2/README.md
--- powerline-gitstatus-1.3.1/README.md 2019-01-11 08:50:57.000000000 -0500
+++ powerline-gitstatus-1.3.2/README.md 2022-10-09 08:58:20.000000000 -0400
@@ -37,6 +37,8 @@
### On Debian/Ubuntu
+On a recent enough Debian (at least Stretch with backports enabled) or Ubuntu (at least 18.10) there is an official package available.
+
```txt
apt install powerline-gitstatus
```
@@ -104,10 +106,12 @@
Optionally, a tag description for the current branch may be displayed using the `show_tag` option. Valid values for this
argument are:
+
* `last` : shows the most recent tag
* `annotated` : shows the most recent annotated tag
* `contains` : shows the closest tag that comes after the current commit
* `exact` : shows a tag only if it matches the current commit
+
You can enable this by passing one of these to the `show_tag` argument, for example in `.config/powerline/themes/shell/__main__.json`:
```json
@@ -123,7 +127,7 @@
Optionally the format in which Gitstatus shows information can be customized.
This allows to use a different symbol or remove a fragment if desired. You can
-customize string formats for _tag_, _behind_, _ahead_, _staged_, _unmerged_,
+customize string formats for _branch_, _tag_, _behind_, _ahead_, _staged_, _unmerged_,
_changed_, _untracked_ and _stash_ fragments with the following arguments in a
theme configuration file, for example `.config/powerline/themes/shell/__main__.json`:
@@ -131,14 +135,15 @@
"gitstatus": {
"args": {
"formats": {
- "tag": " {}",
- "behind": " {}",
- "ahead": " {}",
- "staged": " {}",
- "unmerged": " {}",
- "changed": " {}",
- "untracked": " {}",
- "stashed": " {}"
+ "branch": "\ue0a0 {}",
+ "tag": " ★ {}",
+ "behind": " ↓ {}",
+ "ahead": " ↑ {}",
+ "staged": " ● {}",
+ "unmerged": " ✖ {}",
+ "changed": " ✚ {}",
+ "untracked": " … {}",
+ "stashed": " ⚑ {}"
}
}
}
@@ -155,6 +160,16 @@
}
}
```
+
+By default, if your local branch has untracked files but no other changes, the branch status will be highlighted as dirty in the segment. You can disable this behavior by setting the `untracked_not_dirty` argument to `true`, for example in `.config/powerline/themes/shell/__main__.json`:
+
+```json
+"gitstatus": {
+ "args": {
+ "untracked_not_dirty": true
+ }
+}
+```
License
-------
Attachment:
OpenPGP_0xD3F900749268E55E.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature