Makefile: Update Git to v2.37.1pks-git-v2.37.1

Update our bundled Git version to v2.37.1. This both updates our major version to include the latest changes from v2.37, but also updates our minor version to include fixes for CVE-2022-29187, which is another variant of opening repositories owned by a different user leading to privilege escalation. To the best of my knowledge, Gitaly is not impacted by this specific vulnerability. It does not perform repository discovery by walking up the filesystem hierarchy and thus wouldn't pick up repositories in any of the parent directories of the storage root. And if an adversary is in a posititon to change the owner of repositories contained in Gitaly's storage root, they would already have other ways to attack the host. Also note that we're upgrading the bundled Git version v2.36.1 in-place. This can be done because its feature flag is not yet default-enabled and hasn't been rolled out anywhere due to a set of incompatibilities. Changelog: changed
author: Patrick Steinhardt <psteinhardt@gitlab.com> 2022-07-13 08:36:13 +0300
committer: Patrick Steinhardt <psteinhardt@gitlab.com> 2022-07-13 08:36:13 +0300
commit: be8b2457721e1ec154ecb6e037e797b37578ea62 (patch)
tree: dfdcf996cc0db44ad8f8480db937d3bbc4472694
parent: 8e3eafce11e3b48177872c28c58614226ae18602 (diff)
12 files changed, 22 insertions, 22 deletions
diff --git a/Makefile b/Makefile
index 1d80763af..a5efefe7a 100644
--- a/Makefile
+++ b/Makefile
@@ -325,17 +325,17 @@ install: build
 .PHONY: build-bundled-git
 ## Build bundled Git binaries.
 build-bundled-git: build-bundled-git-v2.35.1.gl1
-build-bundled-git: build-bundled-git-v2.36.1.gl1
+build-bundled-git: build-bundled-git-v2.37.1.gl1
 build-bundled-git-v2.35.1.gl1: $(patsubst %,${BUILD_DIR}/bin/gitaly-%-v2.35.1.gl1,${GIT_EXECUTABLES})
-build-bundled-git-v2.36.1.gl1: $(patsubst %,${BUILD_DIR}/bin/gitaly-%-v2.36.1.gl1,${GIT_EXECUTABLES})
+build-bundled-git-v2.37.1.gl1: $(patsubst %,${BUILD_DIR}/bin/gitaly-%-v2.37.1.gl1,${GIT_EXECUTABLES})
 
 .PHONY: install-bundled-git
 ## Install bundled Git binaries. The target directory can be modified by
 ## setting PREFIX and DESTDIR.
 install-bundled-git: install-bundled-git-v2.35.1.gl1
-install-bundled-git: install-bundled-git-v2.36.1.gl1
+install-bundled-git: install-bundled-git-v2.37.1.gl1
 install-bundled-git-v2.35.1.gl1: $(patsubst %,${INSTALL_DEST_DIR}/gitaly-%-v2.35.1.gl1,${GIT_EXECUTABLES})
-install-bundled-git-v2.36.1.gl1: $(patsubst %,${INSTALL_DEST_DIR}/gitaly-%-v2.36.1.gl1,${GIT_EXECUTABLES})
+install-bundled-git-v2.37.1.gl1: $(patsubst %,${INSTALL_DEST_DIR}/gitaly-%-v2.37.1.gl1,${GIT_EXECUTABLES})
 
 ifdef WITH_BUNDLED_GIT
 build: build-bundled-git
@@ -560,10 +560,10 @@ ${BUILD_DIR}/bin/gitaly-%-v2.35.1.gl1: override GIT_EXTRA_VERSION = gl1
 ${BUILD_DIR}/bin/gitaly-%-v2.35.1.gl1: ${DEPENDENCY_DIR}/git-v2.35.1.gl1/% | ${BUILD_DIR}/bin
 	${Q}install $< $@
 
-${BUILD_DIR}/bin/gitaly-%-v2.36.1.gl1: override GIT_PATCHES := $(sort $(wildcard ${SOURCE_DIR}/_support/git-patches/v2.36.1.gl1/*))
-${BUILD_DIR}/bin/gitaly-%-v2.36.1.gl1: override GIT_VERSION = v2.36.1
-${BUILD_DIR}/bin/gitaly-%-v2.36.1.gl1: override GIT_EXTRA_VERSION = gl1
-${BUILD_DIR}/bin/gitaly-%-v2.36.1.gl1: ${DEPENDENCY_DIR}/git-v2.36.1.gl1/% | ${BUILD_DIR}/bin
+${BUILD_DIR}/bin/gitaly-%-v2.37.1.gl1: override GIT_PATCHES := $(sort $(wildcard ${SOURCE_DIR}/_support/git-patches/v2.37.1.gl1/*))
+${BUILD_DIR}/bin/gitaly-%-v2.37.1.gl1: override GIT_VERSION = v2.37.1
+${BUILD_DIR}/bin/gitaly-%-v2.37.1.gl1: override GIT_EXTRA_VERSION = gl1
+${BUILD_DIR}/bin/gitaly-%-v2.37.1.gl1: ${DEPENDENCY_DIR}/git-v2.37.1.gl1/% | ${BUILD_DIR}/bin
 	${Q}install $< $@
 
 ${BUILD_DIR}/bin/%: ${BUILD_DIR}/intermediate/% | ${BUILD_DIR}/bin
diff --git a/_support/git-patches/v2.36.0.gl1/0001-refs-extract-packed_refs_delete_refs-to-allow-contro.patch b/_support/git-patches/v2.37.1.gl1/0001-refs-extract-packed_refs_delete_refs-to-allow-contro.patch
index 47dd3e41c..47dd3e41c 100644
--- a/_support/git-patches/v2.36.0.gl1/0001-refs-extract-packed_refs_delete_refs-to-allow-contro.patch
+++ b/_support/git-patches/v2.37.1.gl1/0001-refs-extract-packed_refs_delete_refs-to-allow-contro.patch
diff --git a/_support/git-patches/v2.36.0.gl1/0002-refs-allow-passing-flags-when-beginning-transactions.patch b/_support/git-patches/v2.37.1.gl1/0002-refs-allow-passing-flags-when-beginning-transactions.patch
index 8038daca2..8038daca2 100644
--- a/_support/git-patches/v2.36.0.gl1/0002-refs-allow-passing-flags-when-beginning-transactions.patch
+++ b/_support/git-patches/v2.37.1.gl1/0002-refs-allow-passing-flags-when-beginning-transactions.patch
diff --git a/_support/git-patches/v2.36.0.gl1/0003-refs-allow-skipping-the-reference-transaction-hook.patch b/_support/git-patches/v2.37.1.gl1/0003-refs-allow-skipping-the-reference-transaction-hook.patch
index cd194f8aa..cd194f8aa 100644
--- a/_support/git-patches/v2.36.0.gl1/0003-refs-allow-skipping-the-reference-transaction-hook.patch
+++ b/_support/git-patches/v2.37.1.gl1/0003-refs-allow-skipping-the-reference-transaction-hook.patch
diff --git a/_support/git-patches/v2.36.0.gl1/0004-refs-demonstrate-excessive-execution-of-the-referenc.patch b/_support/git-patches/v2.37.1.gl1/0004-refs-demonstrate-excessive-execution-of-the-referenc.patch
index aa6d96a3e..aa6d96a3e 100644
--- a/_support/git-patches/v2.36.0.gl1/0004-refs-demonstrate-excessive-execution-of-the-referenc.patch
+++ b/_support/git-patches/v2.37.1.gl1/0004-refs-demonstrate-excessive-execution-of-the-referenc.patch
diff --git a/_support/git-patches/v2.36.0.gl1/0005-refs-do-not-execute-reference-transaction-hook-on-pa.patch b/_support/git-patches/v2.37.1.gl1/0005-refs-do-not-execute-reference-transaction-hook-on-pa.patch
index f2e7c06ed..f2e7c06ed 100644
--- a/_support/git-patches/v2.36.0.gl1/0005-refs-do-not-execute-reference-transaction-hook-on-pa.patch
+++ b/_support/git-patches/v2.37.1.gl1/0005-refs-do-not-execute-reference-transaction-hook-on-pa.patch
diff --git a/_support/git-patches/v2.36.0.gl1/0006-refs-skip-hooks-when-deleting-uncovered-packed-refs.patch b/_support/git-patches/v2.37.1.gl1/0006-refs-skip-hooks-when-deleting-uncovered-packed-refs.patch
index 3b21bf489..3b21bf489 100644
--- a/_support/git-patches/v2.36.0.gl1/0006-refs-skip-hooks-when-deleting-uncovered-packed-refs.patch
+++ b/_support/git-patches/v2.37.1.gl1/0006-refs-skip-hooks-when-deleting-uncovered-packed-refs.patch
diff --git a/internal/git/command_factory_test.go b/internal/git/command_factory_test.go
index b47119a71..9a60a78c4 100644
--- a/internal/git/command_factory_test.go
+++ b/internal/git/command_factory_test.go
@@ -217,8 +217,8 @@ func TestCommandFactory_ExecutionEnvironment(t *testing.T) {
 	})
 
 	t.Run("set using GITALY_TESTING_BUNDLED_GIT_PATH", func(t *testing.T) {
-		ctx := featureflag.ContextWithFeatureFlag(ctx, featureflag.GitV2361Gl1, true)
-		suffix := "-v2.36.1.gl1"
+		ctx := featureflag.ContextWithFeatureFlag(ctx, featureflag.GitV2371Gl1, true)
+		suffix := "-v2.37.1.gl1"
 
 		bundledGitDir := testhelper.TempDir(t)
 
diff --git a/internal/git/execution_environment.go b/internal/git/execution_environment.go
index 9e2232a05..c35d5e108 100644
--- a/internal/git/execution_environment.go
+++ b/internal/git/execution_environment.go
@@ -26,9 +26,9 @@ var (
 	// case `IsEnabled()` returns `false` though.
 	ExecutionEnvironmentConstructors = []ExecutionEnvironmentConstructor{
 		BundledGitEnvironmentConstructor{
-			Suffix: "-v2.36.1.gl1",
+			Suffix: "-v2.37.1.gl1",
 			FeatureFlags: []featureflag.FeatureFlag{
-				featureflag.GitV2361Gl1,
+				featureflag.GitV2371Gl1,
 			},
 		},
 		BundledGitEnvironmentConstructor{
diff --git a/internal/metadata/featureflag/ff_git_v2361.go b/internal/metadata/featureflag/ff_git_v2361.go
deleted file mode 100644
index 869f3d8e6..000000000
--- a/internal/metadata/featureflag/ff_git_v2361.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package featureflag
-
-// GitV2361Gl1 will enable use of Git v2.36.1.gl1.
-var GitV2361Gl1 = NewFeatureFlag(
-	"git_v2361gl1",
-	"v15.0.0",
-	"https://gitlab.com/gitlab-org/gitaly/-/issues/4194",
-	false,
-)
diff --git a/internal/metadata/featureflag/ff_git_v2371.go b/internal/metadata/featureflag/ff_git_v2371.go
new file mode 100644
index 000000000..b68423548
--- /dev/null
+++ b/internal/metadata/featureflag/ff_git_v2371.go
@@ -0,0 +1,9 @@
+package featureflag
+
+// GitV2371Gl1 will enable use of Git v2.37.1.gl1.
+var GitV2371Gl1 = NewFeatureFlag(
+	"git_v2371gl1",
+	"v15.0.0",
+	"https://gitlab.com/gitlab-org/gitaly/-/issues/4194",
+	false,
+)
diff --git a/internal/testhelper/testhelper.go b/internal/testhelper/testhelper.go
index e917a7b79..8e5977401 100644
--- a/internal/testhelper/testhelper.go
+++ b/internal/testhelper/testhelper.go
@@ -175,7 +175,7 @@ func ContextWithoutCancel(opts ...ContextOpt) context.Context {
 	ctx = featureflag.ContextWithFeatureFlag(ctx, featureflag.RunCommandsInCGroup, true)
 	// Randomly inject the Git flag so that we have coverage of tests with both old and new Git
 	// version by pure chance.
-	ctx = featureflag.ContextWithFeatureFlag(ctx, featureflag.GitV2361Gl1, rnd.Int()%2 == 0)
+	ctx = featureflag.ContextWithFeatureFlag(ctx, featureflag.GitV2371Gl1, rnd.Int()%2 == 0)
 	// PraefectGeneratedReplicaPaths affects many tests as it changes the repository creation logic.
 	// Randomly enable the flag to exercise both paths to some extent.
 	ctx = featureflag.ContextWithFeatureFlag(ctx, featureflag.PraefectGeneratedReplicaPaths, rnd.Int()%2 == 0)
author	Patrick Steinhardt <psteinhardt@gitlab.com>	2022-07-13 08:36:13 +0300
committer	Patrick Steinhardt <psteinhardt@gitlab.com>	2022-07-13 08:36:13 +0300
commit	be8b2457721e1ec154ecb6e037e797b37578ea62 (patch)
tree	dfdcf996cc0db44ad8f8480db937d3bbc4472694
parent	8e3eafce11e3b48177872c28c58614226ae18602 (diff)