[staging] git: 2.39.0 → 2.39.1

[fabianhjr]

Advisories:

• https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/

CVEs:

• CVE-2022-23521 (Critical)
• CVE-2022-41903 (Critical)
• CVE-2022-41953 (Windows only)

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux (gitFull)
  • x86_64-darwin (gitFull)
  • aarch64-darwin (gitFull)
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[fabianhjr]

Currently building/testing.

[fabianhjr]

Built on NixOS (x86_64-linux)

[fabianhjr]

Previous update went trough staging: #205682

[mweinelt]

I think we should go through staging.

[fabianhjr]

I am concerned that this would affect Hydra.

As far as I understand this an adversary could use a new PR to get RCE.

[vcunat]

Hydra.nixos.org doesn't touch PRs (automatically).

[mweinelt]

How do you imagine this could happen?

[fabianhjr]

1. An adversary creates an attack commit with .gitattributes exploiting mentioned CVEs, and a message which passes the ofBorg message checks.
2. ofBorg checks out the PR with the exploit since trusted users is currently disabled.
3. (assumption) ofBorg runs on shared resources with Hydra (so no merge is needed to attack)

[SuperSandro2000]

(assumption) ofBorg runs on shared resources with Hydra (so no merge is needed to attack)

AFAIK it does not.

[SuperSandro2000]

Can we get a rebuild count estimation first?
I would be fine to send this straight to staging-next but it wouldn't be ideal when we send a 25k+ rebuild commit to master and ofborg/hydra would only recover in a few days from it.

[fabianhjr]

Rebased on merge-base of origin/staging origin/master so it should be easy to change target and merge to either staging or main branch.

[mweinelt]

I would be fine to send this straight to staging-next but

there is none open right now.

[fabianhjr]

Currently running ./maintainers/scripts/rebuild-amount.sh HEAD^ to get an estimate rebuild count.

[vcunat]

Probably very similar amounts as recent git updates: #205682
i.e. very high, perhaps over half of everything

[fabianhjr]

Estimating rebuild amount by counting changed Hydra jobs (parallel=unset).
      1 pkgs-lib-tests
  20564 x86_64-darwin
  28692 x86_64-linux

[SuperSandro2000]

There seems to be no follow up to #209180 yet, so staging it yes.

Not sure why ofborg failed to build it but I can't load the logs.

Edit: related to passthru tests, to be exact buildbot.

@ofborg build git

Planning to merge this rather sooner than later.

@vcunat maybe we can do a fast staging-next run?

[SuperSandro2000]

Oh, yeah 22.11 was already merged.