On Thu, 03 Nov 2022 20:39:02 +0100, gregor herrmann wrote: > As also seen on ci.debian.net, minilla recently started to fail its > test suite, which also makes it FTBFS:
> Test Summary Report > ------------------- > t/filegatherer.t (Wstat: 65280 (exited 255) Tests: > 2 Failed: 1) > Failed test: 2 > Non-zero exit status: 255 > Parse errors: No plan found in TAP output > t/filegatherer/submodules-recursive.t (Wstat: 65280 (exited 255) Tests: > 2 Failed: 1) > Failed test: 2 > Non-zero exit status: 255 > Parse errors: No plan found in TAP output > t/project/in_submodule.t (Wstat: 65280 (exited 255) Tests: > 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 255 > Parse errors: No plan found in TAP output > > > This may or may not be related to recent changes in git: > > git (1:2.38.1-1) unstable; urgency=medium > > * new upstream release (closes: #1022046; see RelNotes/2.38.0.txt, > RelNotes/2.38.1.txt). > * Addresses the security issue CVE-2022-39253: cloning an > attacker-controlled local repository could store arbitrary files > in the ".git" directory of the destination repository. > > Thanks to Cory Snider of Mirantis for reporting this > vulnerability and Taylor Blau for the mitigation. > > * Addresses CVE-2022-39260: a long command string passed to a `git > shell` configured to support custom commands could overflow and > run arbitrary code. > > Thanks to Kevin Backhouse of GitHub for reporting this > vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau > for mitigating it. Preliminary patch at https://salsa.debian.org/perl-team/modules/packages/minilla/-/blob/master/debian/patches/git-2.38.1.patch (inspired by https://github.com/book/Git-Repository/pull/22 and https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html ), feedback welcome. Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `-
signature.asc
Description: Digital Signature
