[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1022860: marked as done (bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1)

Your message dated Sat, 17 Dec 2022 10:57:10 +0000
with message-id <03e9b90cf2f149b9e2835590c9ec0ccb048b744d.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.6
has caused the Debian Bug report #1022860,
regarding bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1022860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022860
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
I would like to upload powerline-gitstatus to stable to fix CVE-2022-42906. I have consulted with the security team and they suggested we make the fix available via the next point release. 

[ Impact ]
powerline-gitstatus/1.3.1 and earlier versions are susceptible to code execution via malicious repository. Note that the malicious repository must be obtained other than by "git clone". 

[ Tests ]
The package has no autopkgtests. It has been tested manually.

[ Risks ]
The changeset between 1.3.1 and 1.3.2 is small. The risk is low that
a new bug or security issue is introduced.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The fix for CVE-2022-42906 is straightforward: it simply appends the argument "-C core.fsmonitor=" to the git command. Aside from that, a simple program option was added (untracked_not_dirty) and the README is updated. 

[Other info]
As I expect a positive response, I will be uploading the package shortly.


-- Jerome

diff -Nru powerline-gitstatus-1.3.1/debian/changelog powerline-gitstatus-1.3.2/debian/changelog
--- powerline-gitstatus-1.3.1/debian/changelog	2020-07-08 16:17:05.000000000 -0400
+++ powerline-gitstatus-1.3.2/debian/changelog	2022-10-26 22:54:03.000000000 -0400
@@ -1,3 +1,10 @@
+powerline-gitstatus (1.3.2-1+deb11u1) bullseye; urgency=medium
+
+  * New upstream version 1.3.2
+    - Fix command injection via malicious repository config (CVE-2022-42906)
+
+ -- Jérôme Charaoui <jerome@riseup.net>  Wed, 26 Oct 2022 22:54:03 -0400
+
 powerline-gitstatus (1.3.1-2) unstable; urgency=medium
 
   [ Jann Haber ]
diff -Nru powerline-gitstatus-1.3.1/powerline_gitstatus/segments.py powerline-gitstatus-1.3.2/powerline_gitstatus/segments.py
--- powerline-gitstatus-1.3.1/powerline_gitstatus/segments.py	2019-01-11 08:50:57.000000000 -0500
+++ powerline-gitstatus-1.3.2/powerline_gitstatus/segments.py	2022-10-09 08:58:20.000000000 -0400
@@ -11,9 +11,9 @@
 
     def execute(self, pl, command):
         pl.debug('Executing command: %s' % ' '.join(command))
-	
+
         git_env = os.environ.copy()
-        git_env['LC_ALL'] = 'C' 
+        git_env['LC_ALL'] = 'C'
 
         proc = Popen(command, stdout=PIPE, stderr=PIPE, env=git_env)
         out, err = [item.decode('utf-8') for item in proc.communicate()]
@@ -27,13 +27,13 @@
 
     def get_base_command(self, cwd, use_dash_c):
         if use_dash_c:
-            return ['git', '-C', cwd]
+            return ['git', '-c', 'core.fsmonitor=', '-C', cwd]
 
         while cwd and cwd != os.sep:
             gitdir = os.path.join(cwd, '.git')
 
             if os.path.isdir(gitdir):
-                return ['git', '--git-dir=%s' % gitdir, '--work-tree=%s' % cwd]
+                return ['git', '-c', 'core.fsmonitor=', '--git-dir=%s' % gitdir, '--work-tree=%s' % cwd]
 
             cwd = os.path.dirname(cwd)
 
@@ -80,10 +80,10 @@
 
         return (staged, unmerged, changed, untracked)
 
-    def build_segments(self, formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed):
+    def build_segments(self, formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed, untracked_not_dirty):
         if detached:
             branch_group = 'gitstatus_branch_detached'
-        elif staged or unmerged or changed or untracked:
+        elif staged or unmerged or changed or (untracked and not untracked_not_dirty):
             branch_group = 'gitstatus_branch_dirty'
         else:
             branch_group = 'gitstatus_branch_clean'
@@ -111,7 +111,7 @@
 
         return segments
 
-    def __call__(self, pl, segment_info, use_dash_c=True, show_tag=False, formats={}, detached_head_style='revision'):
+    def __call__(self, pl, segment_info, use_dash_c=True, show_tag=False, formats={}, detached_head_style='revision', untracked_not_dirty=False):
         pl.debug('Running gitstatus %s -C' % ('with' if use_dash_c else 'without'))
 
         cwd = segment_info['getcwd']()
@@ -160,7 +160,7 @@
         else:
             tag = tag[0]
 
-        return self.build_segments(formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed)
+        return self.build_segments(formats, branch, detached, tag, behind, ahead, staged, unmerged, changed, untracked, stashed, untracked_not_dirty)
 
 
 gitstatus = with_docstring(GitStatusSegment(),
@@ -189,6 +189,10 @@
     Display style when in detached HEAD state. Valid values are ``revision``, which shows the current revision id, and ``ref``, which shows the closest reachable ref object.
     The default is ``revision``.
 
+:param untracked_not_dirty:
+    Untracked files alone will not mark the git branch status as dirty.
+    False by default.
+
 Divider highlight group used: ``gitstatus:divider``.
 
 Highlight groups used: ``gitstatus_branch_detached``, ``gitstatus_branch_dirty``, ``gitstatus_branch_clean``, ``gitstatus_branch``, ``gitstatus_tag``, ``gitstatus_behind``, ``gitstatus_ahead``, ``gitstatus_staged``, ``gitstatus_unmerged``, ``gitstatus_changed``, ``gitstatus_untracked``, ``gitstatus_stashed``, ``gitstatus``.
diff -Nru powerline-gitstatus-1.3.1/README.md powerline-gitstatus-1.3.2/README.md
--- powerline-gitstatus-1.3.1/README.md	2019-01-11 08:50:57.000000000 -0500
+++ powerline-gitstatus-1.3.2/README.md	2022-10-09 08:58:20.000000000 -0400
@@ -37,6 +37,8 @@
 
 ### On Debian/Ubuntu
 
+On a recent enough Debian (at least Stretch with backports enabled) or Ubuntu (at least 18.10) there is an official package available. 
+
 ```txt
 apt install powerline-gitstatus
 ```
@@ -104,10 +106,12 @@
 
 Optionally, a tag description for the current branch may be displayed using the `show_tag` option. Valid values for this
 argument are:
+
  * `last` : shows the most recent tag
  * `annotated` : shows the most recent annotated tag
  * `contains` : shows the closest tag that comes after the current commit
  * `exact` : shows a tag only if it matches the current commit
+
 You can enable this by passing one of these to the `show_tag` argument, for example in `.config/powerline/themes/shell/__main__.json`:
 
 ```json
@@ -123,7 +127,7 @@
 
 Optionally the format in which Gitstatus shows information can be customized.
 This allows to use a different symbol or remove a fragment if desired. You can
-customize string formats for _tag_, _behind_, _ahead_, _staged_, _unmerged_,
+customize string formats for _branch_, _tag_, _behind_, _ahead_, _staged_, _unmerged_,
 _changed_, _untracked_ and _stash_ fragments with the following arguments in a
 theme configuration file, for example `.config/powerline/themes/shell/__main__.json`:
 
@@ -131,14 +135,15 @@
 "gitstatus": {
     "args": { 
         "formats": {
-            "tag": " {}",
-            "behind": " {}",
-            "ahead": " {}",
-            "staged": " {}",
-            "unmerged": " {}",
-            "changed": " {}",
-            "untracked": " {}",
-            "stashed": " {}"
+            "branch": "\ue0a0 {}",
+            "tag": " ★ {}",
+            "behind": " ↓ {}",
+            "ahead": " ↑ {}",
+            "staged": " ● {}",
+            "unmerged": " ✖ {}",
+            "changed": " ✚ {}",
+            "untracked": " … {}",
+            "stashed": " ⚑ {}"
         }
     }
 }
@@ -155,6 +160,16 @@
     }
 }
 ```
+
+By default, if your local branch has untracked files but no other changes, the branch status will be highlighted as dirty in the segment. You can disable this behavior by setting the `untracked_not_dirty` argument to `true`, for example in `.config/powerline/themes/shell/__main__.json`:
+
+```json
+"gitstatus": {
+    "args": {
+        "untracked_not_dirty": true
+    }
+}
+```
  
 License
 -------

Attachment: OpenPGP_0xD3F900749268E55E.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.6

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.6 point release.

Regards,

Adam

--- End Message ---
Reply to: