GNU bug report logs - #56398
(guix git) fails to check out repos with nested submodules

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Tue, 5 Jul 2022 15:03:02 UTC

Severity: normal

Full log

View this message in rfc822 format

From: bokr <at> bokr.com
To: André Batista <nandre <at> riseup.net>
Cc: Ludovic Courtès <ludovic.courtes <at> inria.fr>, 56398 <at> debbugs.gnu.org
Subject: bug#56398: (guix git) fails to check out repos with nested submodules
Date: Fri, 25 Nov 2022 00:51:43 +0100

Hi,

On +2022-11-24 12:17:01 -0300, André Batista wrote:
> Hi!
> 
> qui 04 ago 2022 às 13:59:20 (1659632360), ludovic.courtes <at> inria.fr enviou:
> > I think we should instead report it upstream.  Do you feel like doing
> > it?  I guess we’d need to give them the C version of the three-line
> > snippet I gave earlier.
> 
> Upstream issue #6433[1]
> 
> Apparently, GIT_SUBMODULE_STATUS_WD_UNINITIALIZED isn't actually set
> in this scenario, only GIT_SUBMODULE_STATUS_IN_CONFIG.
> 
> 1. https://github.com/libgit2/libgit2/issues/6433
> 
> 
>

Wondering if this[1] is all history in gnu/guix-land:

[1] <https://nvd.nist.gov/vuln/detail/CVE-2020-5260>

Wherein it says

--8<---------------cut here---------------start------------->8---
The problem has been patched in the versions published on
April 14th, 2020, going back to v2.17.x. Anyone wishing to
backport the change further can do so by applying commit
9a6bbee (the full release includes extra checks for git
fsck, but that commit is sufficient to protect clients
against the vulnerability). The patched versions are:
2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2,
2.24.2, 2.25.3, 2.26.1.
--8<---------------cut here---------------end--------------->8---

Is there an automated tool to answer the question,
"What executables (command line directly, or indirectly (including
config-directed interpretation)) does my system contain
that have known vulnerabilities?"

BTW: Newsflash: :)
     RMS paranoia now dernier-cri[3] as cited in [2]
[2] <https://www.theregister.com/2022/11/23/dod_cisa_omb_cybersecurity/>
[3] <https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf>

Something[3] to get (more) serious about for gnu/guix?
--
Regards,
Bengt Richter
This bug report was last modified 2 years and 241 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.