Git 2.32.7

Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Sync with 2.31.8
2023-04-17 21:15:51 +02:00 · 2023-04-17 21:15:49 +02:00 · 2023-04-17 21:15:47 +02:00 · 2023-04-17 21:15:45 +02:00 · 2023-04-17 21:15:44 +02:00 · 2023-04-17 21:15:43 +02:00
33 changed files with 603 additions and 110 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -287,7 +287,7 @@ jobs:
            pool: ubuntu-latest
          - jobname: linux-gcc
            cc: gcc
-            pool: ubuntu-latest
+            pool: ubuntu-20.04
          - jobname: osx-clang
            cc: clang
            pool: macos-latest
@ -345,7 +345,7 @@ jobs:
    if: needs.ci-config.outputs.enabled == 'yes'
    env:
      jobname: StaticAnalysis
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v1
    - run: ci/install-dependencies.sh
--- a/Documentation/RelNotes/2.30.8.txt
+++ b/Documentation/RelNotes/2.30.8.txt
@ -0,0 +1,52 @@
+Git v2.30.8 Release Notes
+=========================
+
+This release addresses the security issues CVE-2023-22490 and
+CVE-2023-23946.
+
+
+Fixes since v2.30.7
+-------------------
+
+ * CVE-2023-22490:
+
+   Using a specially-crafted repository, Git can be tricked into using
+   its local clone optimization even when using a non-local transport.
+   Though Git will abort local clones whose source $GIT_DIR/objects
+   directory contains symbolic links (c.f., CVE-2022-39253), the objects
+   directory itself may still be a symbolic link.
+
+   These two may be combined to include arbitrary files based on known
+   paths on the victim's filesystem within the malicious repository's
+   working copy, allowing for data exfiltration in a similar manner as
+   CVE-2022-39253.
+
+ * CVE-2023-23946:
+
+   By feeding a crafted input to "git apply", a path outside the
+   working tree can be overwritten as the user who is running "git
+   apply".
+
+ * A mismatched type in `attr.c::read_attr_from_index()` which could
+   cause Git to errantly reject attributes on Windows and 32-bit Linux
+   has been corrected.
+
+Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
+developed by Taylor Blau, with additional help from others on the
+Git security mailing list.
+
+Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
+fix was developed by Patrick Steinhardt.
+
+
+Johannes Schindelin (1):
+      attr: adjust a mismatched data type
+
+Patrick Steinhardt (1):
+      apply: fix writing behind newly created symbolic links
+
+Taylor Blau (3):
+      t5619: demonstrate clone_local() with ambiguous transport
+      clone: delay picking a transport until after get_repo_path()
+      dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
+
--- a/Documentation/RelNotes/2.30.9.txt
+++ b/Documentation/RelNotes/2.30.9.txt
@ -0,0 +1,43 @@
+Git v2.30.9 Release Notes
+=========================
+
+This release addresses the security issues CVE-2023-25652,
+CVE-2023-25815, and CVE-2023-29007.
+
+
+Fixes since v2.30.8
+-------------------
+
+ * CVE-2023-25652:
+
+   By feeding specially crafted input to `git apply --reject`, a
+   path outside the working tree can be overwritten with partially
+   controlled contents (corresponding to the rejected hunk(s) from
+   the given patch).
+
+ * CVE-2023-25815:
+
+   When Git is compiled with runtime prefix support and runs without
+   translated messages, it still used the gettext machinery to
+   display messages, which subsequently potentially looked for
+   translated messages in unexpected places. This allowed for
+   malicious placement of crafted messages.
+
+ * CVE-2023-29007:
+
+   When renaming or deleting a section from a configuration file,
+   certain malicious configuration values may be misinterpreted as
+   the beginning of a new configuration section, leading to arbitrary
+   configuration injection.
+
+Credit for finding CVE-2023-25652 goes to Ry0taK, and the fix was
+developed by Taylor Blau, Junio C Hamano and Johannes Schindelin,
+with the help of Linus Torvalds.
+
+Credit for finding CVE-2023-25815 goes to Maxime Escourbiac and
+Yassine BENGANA of Michelin, and the fix was developed by Johannes
+Schindelin.
+
+Credit for finding CVE-2023-29007 goes to André Baptista and Vítor Pinho
+of Ethiack, and the fix was developed by Taylor Blau, and Johannes
+Schindelin, with help from Jeff King, and Patrick Steinhardt.
--- a/Documentation/RelNotes/2.31.7.txt
+++ b/Documentation/RelNotes/2.31.7.txt
@ -0,0 +1,6 @@
+Git v2.31.7 Release Notes
+=========================
+
+This release merges up the fixes that appear in v2.30.8 to
+address the security issues CVE-2023-22490 and CVE-2023-23946;
+see the release notes for that version for details.
--- a/Documentation/RelNotes/2.31.8.txt
+++ b/Documentation/RelNotes/2.31.8.txt
@ -0,0 +1,6 @@
+Git v2.31.8 Release Notes
+=========================
+
+This release merges the fixes that appear in v2.30.9 to address the
+security issues CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007;
+see the release notes for that version for details.
--- a/Documentation/RelNotes/2.32.6.txt
+++ b/Documentation/RelNotes/2.32.6.txt
@ -0,0 +1,6 @@
+Git v2.32.6 Release Notes
+=========================
+
+This release merges up the fixes that appear in v2.30.8 and v2.31.7
+to address the security issues CVE-2023-22490 and CVE-2023-23946;
+see the release notes for these versions for details.
--- a/Documentation/RelNotes/2.32.7.txt
+++ b/Documentation/RelNotes/2.32.7.txt
@ -0,0 +1,7 @@
+Git v2.32.7 Release Notes
+=========================
+
+This release merges the fixes that appear in v2.30.9 and v2.31.8 to
+address the security issues CVE-2023-25652, CVE-2023-25815, and
+CVE-2023-29007; see the release notes for these versions for
+details.
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 #!/bin/sh

 GVF=GIT-VERSION-FILE
-DEF_VER=v2.32.5
+DEF_VER=v2.32.7

 LF='
 '
--- a/4
+++ b/4
@ -145,6 +145,10 @@ Issues of note:
 	  patches into an IMAP mailbox, you do not have to have them
 	  (use NO_CURL).

+	  Git requires version "7.19.5" or later of "libcurl" to build
+	  without NO_CURL. This version requirement may be bumped in
+	  the future.
+
 	- "expat" library; git-http-push uses it for remote lock
 	  management over DAV.  Similar to "curl" above, this is optional
 	  (with NO_EXPAT).
--- a/2
+++ b/2
@ -1 +1 @@
-Documentation/RelNotes/2.32.5.txt
+Documentation/RelNotes/2.32.7.txt
--- a/apply.c
+++ b/apply.c
@ -4402,6 +4402,33 @@ static int create_one_file(struct apply_state *state,
 	if (state->cached)
 		return 0;

+	/*
+	 * We already try to detect whether files are beyond a symlink in our
+	 * up-front checks. But in the case where symlinks are created by any
+	 * of the intermediate hunks it can happen that our up-front checks
+	 * didn't yet see the symlink, but at the point of arriving here there
+	 * in fact is one. We thus repeat the check for symlinks here.
+	 *
+	 * Note that this does not make the up-front check obsolete as the
+	 * failure mode is different:
+	 *
+	 * - The up-front checks cause us to abort before we have written
+	 *   anything into the working directory. So when we exit this way the
+	 *   working directory remains clean.
+	 *
+	 * - The checks here happen in the middle of the action where we have
+	 *   already started to apply the patch. The end result will be a dirty
+	 *   working directory.
+	 *
+	 * Ideally, we should update the up-front checks to catch what would
+	 * happen when we apply the patch before we damage the working tree.
+	 * We have all the information necessary to do so.  But for now, as a
+	 * part of embargoed security work, having this check would serve as a
+	 * reasonable first step.
+	 */
+	if (path_is_beyond_symlink(state, path))
+		return error(_("affected file '%s' is beyond a symbolic link"), path);
+
 	res = try_create_file(state, path, mode, buf, size);
 	if (res < 0)
 		return -1;
@ -4533,7 +4560,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
 	FILE *rej;
 	char namebuf[PATH_MAX];
 	struct fragment *frag;
-	int cnt = 0;
+	int fd, cnt = 0;
 	struct strbuf sb = STRBUF_INIT;

 	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
@ -4573,7 +4600,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
 	memcpy(namebuf, patch->new_name, cnt);
 	memcpy(namebuf + cnt, ".rej", 5);

-	rej = fopen(namebuf, "w");
+	fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+	if (fd < 0) {
+		if (errno != EEXIST)
+			return error_errno(_("cannot open %s"), namebuf);
+		if (unlink(namebuf))
+			return error_errno(_("cannot unlink '%s'"), namebuf);
+		fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+		if (fd < 0)
+			return error_errno(_("cannot open %s"), namebuf);
+	}
+	rej = fdopen(fd, "w");
 	if (!rej)
 		return error_errno(_("cannot open %s"), namebuf);

--- a/attr.c
+++ b/attr.c
@ -756,7 +756,7 @@ static struct attr_stack *read_attr_from_index(struct index_state *istate,
 	struct attr_stack *res;
 	char *buf, *sp;
 	int lineno = 0;
-	size_t size;
+	unsigned long size;

 	if (!istate)
 		return NULL;
--- a/builtin/clone.c
+++ b/builtin/clone.c
@ -254,6 +254,15 @@ static char *guess_dir_name(const char *repo, int is_bundle, int is_bare)
 			end--;
 	}

+	/*
+	 * It should not be possible to overflow `ptrdiff_t` by passing in an
+	 * insanely long URL, but GCC does not know that and will complain
+	 * without this check.
+	 */
+	if (end - start < 0)
+		die(_("No directory name could be guessed.\n"
+		      "Please specify a directory on the command line"));
+
 	/*
 	 * Strip trailing port number if we've got only a
 	 * hostname (that is, there is no dir separator but a
@ -1220,10 +1229,6 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 	refspec_appendf(&remote->fetch, "+%s*:%s*", src_ref_prefix,
 			branch_top.buf);

-	transport = transport_get(remote, remote->url[0]);
-	transport_set_verbosity(transport, option_verbosity, option_progress);
-	transport->family = family;
-
 	path = get_repo_path(remote->url[0], &is_bundle);
 	is_local = option_local != 0 && path && !is_bundle;
 	if (is_local) {
@ -1245,6 +1250,10 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 	}
 	if (option_local > 0 && !is_local)
 		warning(_("--local is ignored"));
+
+	transport = transport_get(remote, path ? path : remote->url[0]);
+	transport_set_verbosity(transport, option_verbosity, option_progress);
+	transport->family = family;
 	transport->cloning = 1;

 	transport_set_option(transport, TRANS_OPT_KEEP, "yes");
--- a/ci/install-dependencies.sh
+++ b/ci/install-dependencies.sh
@ -5,7 +5,7 @@

 . ${0%/*}/lib.sh

-P4WHENCE=http://filehost.perforce.com/perforce/r$LINUX_P4_VERSION
+P4WHENCE=https://cdist2.perforce.com/perforce/r21.2
 LFSWHENCE=https://github.com/github/git-lfs/releases/download/v$LINUX_GIT_LFS_VERSION
 UBUNTU_COMMON_PKGS="make libssl-dev libcurl4-openssl-dev libexpat-dev
 tcl tk gettext zlib1g-dev perl-modules liberror-perl libauthen-sasl-perl
@ -16,7 +16,7 @@ linux-clang|linux-gcc)
 	sudo apt-add-repository -y "ppa:ubuntu-toolchain-r/test"
 	sudo apt-get -q update
 	sudo apt-get -q -y install language-pack-is libsvn-perl apache2 \
-		$UBUNTU_COMMON_PKGS
+		$UBUNTU_COMMON_PKGS $PYTHON_PACKAGE
 	case "$jobname" in
 	linux-gcc)
 		sudo apt-get -q -y install gcc-8
@ -44,13 +44,15 @@ osx-clang|osx-gcc)
 	test -z "$BREW_INSTALL_PACKAGES" ||
 	brew install $BREW_INSTALL_PACKAGES
 	brew link --force gettext
-	brew install --cask --no-quarantine perforce || {
-		# Update the definitions and try again
-		cask_repo="$(brew --repository)"/Library/Taps/homebrew/homebrew-cask &&
-		git -C "$cask_repo" pull --no-stat --ff-only &&
-		brew install --cask --no-quarantine perforce
-	} ||
-	brew install homebrew/cask/perforce
+	mkdir -p $HOME/bin
+	(
+		cd $HOME/bin
+		wget -q "$P4WHENCE/bin.macosx1015x86_64/helix-core-server.tgz" &&
+		tar -xf helix-core-server.tgz &&
+		sudo xattr -d com.apple.quarantine p4 p4d 2>/dev/null || true
+	)
+	PATH="$PATH:${HOME}/bin"
+	export PATH
 	case "$jobname" in
 	osx-gcc)
 		brew install gcc@9
@ -81,9 +83,9 @@ esac
 if type p4d >/dev/null && type p4 >/dev/null
 then
 	echo "$(tput setaf 6)Perforce Server Version$(tput sgr0)"
-	p4d -V | grep Rev.
+	p4d -V
 	echo "$(tput setaf 6)Perforce Client Version$(tput sgr0)"
-	p4 -V | grep Rev.
+	p4 -V
 fi
 if type git-lfs >/dev/null
 then
--- a/ci/lib.sh
+++ b/ci/lib.sh
@ -184,13 +184,13 @@ export SKIP_DASHED_BUILT_INS=YesPlease

 case "$jobname" in
 linux-clang|linux-gcc)
+	PYTHON_PACKAGE=python2
 	if [ "$jobname" = linux-gcc ]
 	then
 		export CC=gcc-8
-		MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=/usr/bin/python3"
-	else
-		MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=/usr/bin/python2"
+		PYTHON_PACKAGE=python3
 	fi
+	MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=/usr/bin/$PYTHON_PACKAGE"

 	export GIT_TEST_HTTPD=true

@ -199,7 +199,6 @@ linux-clang|linux-gcc)
 	# were recorded in the Homebrew database upon creating the OS X
 	# image.
 	# Keep that in mind when you encounter a broken OS X build!
-	export LINUX_P4_VERSION="16.2"
 	export LINUX_GIT_LFS_VERSION="1.5.2"

 	P4_PATH="$HOME/custom/p4"
--- a/compat/nedmalloc/nedmalloc.c
+++ b/compat/nedmalloc/nedmalloc.c
@ -323,7 +323,6 @@ static NOINLINE void RemoveCacheEntries(nedpool *p, threadcache *tc, unsigned in
 }
 static void DestroyCaches(nedpool *p) THROWSPEC
 {
-	if(p->caches)
 	{
 		threadcache *tc;
 		int n;
--- a/compat/win32/syslog.c
+++ b/compat/win32/syslog.c
@ -43,6 +43,7 @@ void syslog(int priority, const char *fmt, ...)
 	va_end(ap);

 	while ((pos = strstr(str, "%1")) != NULL) {
+		size_t offset = pos - str;
 		char *oldstr = str;
 		str = realloc(str, st_add(++str_len, 1));
 		if (!str) {
@ -50,6 +51,7 @@ void syslog(int priority, const char *fmt, ...)
 			warning_errno("realloc failed");
 			return;
 		}
+		pos = str + offset;
 		memmove(pos + 2, pos + 1, strlen(pos));
 		pos[1] = ' ';
 	}
--- a/config.c
+++ b/config.c
@ -3198,9 +3198,10 @@ void git_config_set_multivar(const char *key, const char *value,
 					flags);
 }

-static int section_name_match (const char *buf, const char *name)
+static size_t section_name_match (const char *buf, const char *name)
 {
-	int i = 0, j = 0, dot = 0;
+	size_t i = 0, j = 0;
+	int dot = 0;
 	if (buf[i] != '[')
 		return 0;
 	for (i = 1; buf[i] && buf[i] != ']'; i++) {
@ -3253,6 +3254,8 @@ static int section_name_is_ok(const char *name)
 	return 1;
 }

+#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+
 /* if new_name == NULL, the section is removed instead */
 static int git_config_copy_or_rename_section_in_file(const char *config_filename,
 				      const char *old_name,
@ -3262,11 +3265,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
 	char *filename_buf = NULL;
 	struct lock_file lock = LOCK_INIT;
 	int out_fd;
-	char buf[1024];
+	struct strbuf buf = STRBUF_INIT;
 	FILE *config_file = NULL;
 	struct stat st;
 	struct strbuf copystr = STRBUF_INIT;
 	struct config_store_data store;
+	uint32_t line_nr = 0;

 	memset(&store, 0, sizeof(store));

@ -3303,16 +3307,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
 		goto out;
 	}

-	while (fgets(buf, sizeof(buf), config_file)) {
-		unsigned i;
-		int length;
+	while (!strbuf_getwholeline(&buf, config_file, '\n')) {
+		size_t i, length;
 		int is_section = 0;
-		char *output = buf;
-		for (i = 0; buf[i] && isspace(buf[i]); i++)
+		char *output = buf.buf;
+
+		line_nr++;
+
+		if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
+			ret = error(_("refusing to work with overly long line "
+				      "in '%s' on line %"PRIuMAX),
+				    config_filename, (uintmax_t)line_nr);
+			goto out;
+		}
+
+		for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
 			; /* do nothing */
-		if (buf[i] == '[') {
+		if (buf.buf[i] == '[') {
 			/* it's a section */
-			int offset;
+			size_t offset;
 			is_section = 1;

 			/*
@ -3329,7 +3342,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
 				strbuf_reset(&copystr);
 			}

-			offset = section_name_match(&buf[i], old_name);
+			offset = section_name_match(&buf.buf[i], old_name);
 			if (offset > 0) {
 				ret++;
 				if (new_name == NULL) {
@ -3404,6 +3417,7 @@ out:
 out_no_rollback:
 	free(filename_buf);
 	config_store_data_clear(&store);
+	strbuf_release(&buf);
 	return ret;
 }

--- a/dir-iterator.c
+++ b/dir-iterator.c
@ -203,7 +203,7 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags)
 {
 	struct dir_iterator_int *iter = xcalloc(1, sizeof(*iter));
 	struct dir_iterator *dir_iterator = &iter->base;
-	int saved_errno;
+	int saved_errno, err;

 	strbuf_init(&iter->base.path, PATH_MAX);
 	strbuf_addstr(&iter->base.path, path);
@ -213,10 +213,15 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags)
 	iter->flags = flags;

 	/*
-	 * Note: stat already checks for NULL or empty strings and
-	 * inexistent paths.
+	 * Note: stat/lstat already checks for NULL or empty strings and
+	 * nonexistent paths.
 	 */
-	if (stat(iter->base.path.buf, &iter->base.st) < 0) {
+	if (iter->flags & DIR_ITERATOR_FOLLOW_SYMLINKS)
+		err = stat(iter->base.path.buf, &iter->base.st);
+	else
+		err = lstat(iter->base.path.buf, &iter->base.st);
+
+	if (err < 0) {
 		saved_errno = errno;
 		goto error_out;
 	}
--- a/dir-iterator.h
+++ b/dir-iterator.h
@ -61,6 +61,11 @@
 *   not the symlinks themselves, which is the default behavior. Broken
 *   symlinks are ignored.
 *
+ *   Note: setting DIR_ITERATOR_FOLLOW_SYMLINKS affects resolving the
+ *   starting path as well (e.g., attempting to iterate starting at a
+ *   symbolic link pointing to a directory without FOLLOW_SYMLINKS will
+ *   result in an error).
+ *
 * Warning: circular symlinks are also followed when
 * DIR_ITERATOR_FOLLOW_SYMLINKS is set. The iteration may end up with
 * an ELOOP if they happen and DIR_ITERATOR_PEDANTIC is set.
--- a/gettext.c
+++ b/gettext.c
@ -101,6 +101,8 @@ static void init_gettext_charset(const char *domain)
 		setlocale(LC_CTYPE, "C");
 }

+int git_gettext_enabled = 0;
+
 void git_setup_gettext(void)
 {
 	const char *podir = getenv(GIT_TEXT_DOMAIN_DIR_ENVIRONMENT);
@ -120,6 +122,8 @@ void git_setup_gettext(void)
 	init_gettext_charset("git");
 	textdomain("git");

+	git_gettext_enabled = 1;
+
 	free(p);
 }

--- a/gettext.h
+++ b/gettext.h
@ -29,9 +29,11 @@
 #define FORMAT_PRESERVING(n) __attribute__((format_arg(n)))

 #ifndef NO_GETTEXT
+extern int git_gettext_enabled;
 void git_setup_gettext(void);
 int gettext_width(const char *s);
 #else
+#define git_gettext_enabled (0)
 static inline void git_setup_gettext(void)
 {
 }
@ -45,12 +47,16 @@ static inline FORMAT_PRESERVING(1) const char *_(const char *msgid)
 {
 	if (!*msgid)
 		return "";
+	if (!git_gettext_enabled)
+		return msgid;
 	return gettext(msgid);
 }

 static inline FORMAT_PRESERVING(1) FORMAT_PRESERVING(2)
 const char *Q_(const char *msgid, const char *plu, unsigned long n)
 {
+	if (!git_gettext_enabled)
+		return n == 1 ? msgid : plu;
 	return ngettext(msgid, plu, n);
 }

--- a/http-push.c
+++ b/http-push.c
@ -198,14 +198,14 @@ static void curl_setup_http(CURL *curl, const char *url,
 		const char *custom_req, struct buffer *buffer,
 		curl_write_callback write_fn)
 {
-	curl_easy_setopt(curl, CURLOPT_PUT, 1);
+	curl_easy_setopt(curl, CURLOPT_UPLOAD, 1);
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 	curl_easy_setopt(curl, CURLOPT_INFILE, buffer);
 	curl_easy_setopt(curl, CURLOPT_INFILESIZE, buffer->buf.len);
 	curl_easy_setopt(curl, CURLOPT_READFUNCTION, fread_buffer);
-#ifndef NO_CURL_IOCTL
-	curl_easy_setopt(curl, CURLOPT_IOCTLFUNCTION, ioctl_buffer);
-	curl_easy_setopt(curl, CURLOPT_IOCTLDATA, buffer);
+#ifndef NO_CURL_SEEK
+	curl_easy_setopt(curl, CURLOPT_SEEKFUNCTION, seek_buffer);
+	curl_easy_setopt(curl, CURLOPT_SEEKDATA, buffer);
 #endif
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_fn);
 	curl_easy_setopt(curl, CURLOPT_NOBODY, 0);
--- a/http.c
+++ b/http.c
@ -186,22 +186,20 @@ size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
 	return size / eltsize;
 }

-#ifndef NO_CURL_IOCTL
-curlioerr ioctl_buffer(CURL *handle, int cmd, void *clientp)
+#ifndef NO_CURL_SEEK
+int seek_buffer(void *clientp, curl_off_t offset, int origin)
 {
 	struct buffer *buffer = clientp;

-	switch (cmd) {
-	case CURLIOCMD_NOP:
-		return CURLIOE_OK;
-
-	case CURLIOCMD_RESTARTREAD:
-		buffer->posn = 0;
-		return CURLIOE_OK;
-
-	default:
-		return CURLIOE_UNKNOWNCMD;
+	if (origin != SEEK_SET)
+		BUG("seek_buffer only handles SEEK_SET");
+	if (offset < 0 || offset >= buffer->buf.len) {
+		error("curl seek would be outside of buffer");
+		return CURL_SEEKFUNC_FAIL;
 	}
+
+	buffer->posn = offset;
+	return CURL_SEEKFUNC_OK;
 }
 #endif

@ -810,20 +808,37 @@ void setup_curl_trace(CURL *handle)
 }

 #ifdef CURLPROTO_HTTP
-static long get_curl_allowed_protocols(int from_user)
+static void proto_list_append(struct strbuf *list, const char *proto)
 {
-	long allowed_protocols = 0;
+	if (!list)
+		return;
+	if (list->len)
+		strbuf_addch(list, ',');
+	strbuf_addstr(list, proto);
+}

-	if (is_transport_allowed("http", from_user))
-		allowed_protocols |= CURLPROTO_HTTP;
-	if (is_transport_allowed("https", from_user))
-		allowed_protocols |= CURLPROTO_HTTPS;
-	if (is_transport_allowed("ftp", from_user))
-		allowed_protocols |= CURLPROTO_FTP;
-	if (is_transport_allowed("ftps", from_user))
-		allowed_protocols |= CURLPROTO_FTPS;
+static long get_curl_allowed_protocols(int from_user, struct strbuf *list)
+{
+	long bits = 0;

-	return allowed_protocols;
+	if (is_transport_allowed("http", from_user)) {
+		bits |= CURLPROTO_HTTP;
+		proto_list_append(list, "http");
+	}
+	if (is_transport_allowed("https", from_user)) {
+		bits |= CURLPROTO_HTTPS;
+		proto_list_append(list, "https");
+	}
+	if (is_transport_allowed("ftp", from_user)) {
+		bits |= CURLPROTO_FTP;
+		proto_list_append(list, "ftp");
+	}
+	if (is_transport_allowed("ftps", from_user)) {
+		bits |= CURLPROTO_FTPS;
+		proto_list_append(list, "ftps");
+	}
+
+	return bits;
 }
 #endif

@ -981,10 +996,24 @@ static CURL *get_curl_handle(void)
 	curl_easy_setopt(result, CURLOPT_POST301, 1);
 #endif
 #ifdef CURLPROTO_HTTP
+#if LIBCURL_VERSION_NUM >= 0x075500
+	{
+		struct strbuf buf = STRBUF_INIT;
+
+		get_curl_allowed_protocols(0, &buf);
+		curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS_STR, buf.buf);
+		strbuf_reset(&buf);
+
+		get_curl_allowed_protocols(-1, &buf);
+		curl_easy_setopt(result, CURLOPT_PROTOCOLS_STR, buf.buf);
+		strbuf_release(&buf);
+	}
+#else
 	curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS,
-			 get_curl_allowed_protocols(0));
+			 get_curl_allowed_protocols(0, NULL));
 	curl_easy_setopt(result, CURLOPT_PROTOCOLS,
-			 get_curl_allowed_protocols(-1));
+			 get_curl_allowed_protocols(-1, NULL));
+#endif
 #else
 	warning(_("Protocol restrictions not supported with cURL < 7.19.4"));
 #endif
@ -1523,6 +1552,32 @@ void run_active_slot(struct active_request_slot *slot)
 		finish_active_slot(slot);
 	}
 #endif
+
+	/*
+	 * The value of slot->finished we set before the loop was used
+	 * to set our "finished" variable when our request completed.
+	 *
+	 * 1. The slot may not have been reused for another requst
+	 *    yet, in which case it still has &finished.
+	 *
+	 * 2. The slot may already be in-use to serve another request,
+	 *    which can further be divided into two cases:
+	 *
+	 * (a) If call run_active_slot() hasn't been called for that
+	 *     other request, slot->finished would have been cleared
+	 *     by get_active_slot() and has NULL.
+	 *
+	 * (b) If the request did call run_active_slot(), then the
+	 *     call would have updated slot->finished at the beginning
+	 *     of this function, and with the clearing of the member
+	 *     below, we would find that slot->finished is now NULL.
+	 *
+	 * In all cases, slot->finished has no useful information to
+	 * anybody at this point.  Some compilers warn us for
+	 * attempting to smuggle a pointer that is about to become
+	 * invalid, i.e. &finished.  We clear it here to assure them.
+	 */
+	slot->finished = NULL;
 }

 static void release_active_slot(struct active_request_slot *slot)
--- a/http.h
+++ b/http.h
@ -41,8 +41,8 @@
 #define CURLE_HTTP_RETURNED_ERROR CURLE_HTTP_NOT_FOUND
 #endif

-#if LIBCURL_VERSION_NUM < 0x070c03
-#define NO_CURL_IOCTL
+#if LIBCURL_VERSION_NUM < 0x071200
+#define NO_CURL_SEEK
 #endif

 /*
@ -82,8 +82,8 @@ struct buffer {
 size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *strbuf);
 size_t fwrite_buffer(char *ptr, size_t eltsize, size_t nmemb, void *strbuf);
 size_t fwrite_null(char *ptr, size_t eltsize, size_t nmemb, void *strbuf);
-#ifndef NO_CURL_IOCTL
-curlioerr ioctl_buffer(CURL *handle, int cmd, void *clientp);
+#ifndef NO_CURL_SEEK
+int seek_buffer(void *clientp, curl_off_t offset, int origin);
 #endif

 /* Slot lifecycle functions */
--- a/range-diff.c
+++ b/range-diff.c
@ -26,17 +26,6 @@ struct patch_util {
 	struct object_id oid;
 };

-static size_t find_end_of_line(char *buffer, unsigned long size)
-{
-	char *eol = memchr(buffer, '\n', size);
-
-	if (!eol)
-		return size;
-
-	*eol = '\0';
-	return eol + 1 - buffer;
-}
-
 /*
 * Reads the patches into a string list, with the `util` field being populated
 * as struct object_id (will need to be free()d).
@ -49,7 +38,7 @@ static int read_patches(const char *range, struct string_list *list,
 	struct patch_util *util = NULL;
 	int in_header = 1;
 	char *line, *current_filename = NULL;
-	int offset, len;
+	ssize_t len;
 	size_t size;

 	strvec_pushl(&cp.args, "log", "--no-color", "-p", "--no-merges",
@ -86,11 +75,18 @@ static int read_patches(const char *range, struct string_list *list,

 	line = contents.buf;
 	size = contents.len;
-	for (offset = 0; size > 0; offset += len, size -= len, line += len) {
+	for (; size > 0; size -= len, line += len) {
 		const char *p;
+		char *eol;
+
+		eol = memchr(line, '\n', size);
+		if (eol) {
+			*eol = '\0';
+			len = eol + 1 - line;
+		} else {
+			len = size;
+		}

-		len = find_end_of_line(line, size);
-		line[len - 1] = '\0';
 		if (skip_prefix(line, "commit ", &p)) {
 			if (util) {
 				string_list_append(list, buf.buf)->util = util;
@ -132,7 +128,8 @@ static int read_patches(const char *range, struct string_list *list,
 			strbuf_addch(&buf, '\n');
 			if (!util->diff_offset)
 				util->diff_offset = buf.len;
-			line[len - 1] = '\n';
+			if (eol)
+				*eol = '\n';
 			orig_len = len;
 			len = parse_git_diff_header(&root, &linenr, 0, line,
 						    len, size, &patch);
--- a/remote-curl.c
+++ b/remote-curl.c
@ -709,26 +709,24 @@ static size_t rpc_out(void *ptr, size_t eltsize,
 	return avail;
 }

-#ifndef NO_CURL_IOCTL
-static curlioerr rpc_ioctl(CURL *handle, int cmd, void *clientp)
+#ifndef NO_CURL_SEEK
+static int rpc_seek(void *clientp, curl_off_t offset, int origin)
 {
 	struct rpc_state *rpc = clientp;

-	switch (cmd) {
-	case CURLIOCMD_NOP:
-		return CURLIOE_OK;
+	if (origin != SEEK_SET)
+		BUG("rpc_seek only handles SEEK_SET, not %d", origin);

-	case CURLIOCMD_RESTARTREAD:
-		if (rpc->initial_buffer) {
-			rpc->pos = 0;
-			return CURLIOE_OK;
+	if (rpc->initial_buffer) {
+		if (offset < 0 || offset > rpc->len) {
+			error("curl seek would be outside of rpc buffer");
+			return CURL_SEEKFUNC_FAIL;
 		}
-		error(_("unable to rewind rpc post data - try increasing http.postBuffer"));
-		return CURLIOE_FAILRESTART;
-
-	default:
-		return CURLIOE_UNKNOWNCMD;
+		rpc->pos = offset;
+		return CURL_SEEKFUNC_OK;
 	}
+	error(_("unable to rewind rpc post data - try increasing http.postBuffer"));
+	return CURL_SEEKFUNC_FAIL;
 }
 #endif

@ -949,9 +947,9 @@ retry:
 		rpc->initial_buffer = 1;
 		curl_easy_setopt(slot->curl, CURLOPT_READFUNCTION, rpc_out);
 		curl_easy_setopt(slot->curl, CURLOPT_INFILE, rpc);
-#ifndef NO_CURL_IOCTL
-		curl_easy_setopt(slot->curl, CURLOPT_IOCTLFUNCTION, rpc_ioctl);
-		curl_easy_setopt(slot->curl, CURLOPT_IOCTLDATA, rpc);
+#ifndef NO_CURL_SEEK
+		curl_easy_setopt(slot->curl, CURLOPT_SEEKFUNCTION, rpc_seek);
+		curl_easy_setopt(slot->curl, CURLOPT_SEEKDATA, rpc);
 #endif
 		if (options.verbosity > 1) {
 			fprintf(stderr, "POST %s (chunked)\n", rpc->service_name);
--- a/t/t0033-safe-directory.sh
+++ b/t/t0033-safe-directory.sh
@ -9,7 +9,7 @@ export GIT_TEST_ASSUME_DIFFERENT_OWNER

 expect_rejected_dir () {
 	test_must_fail git status 2>err &&
-	grep "safe.directory" err
+	grep "dubious ownership" err
 }

 test_expect_success 'safe.directory is not set' '
--- a/t/t0066-dir-iterator.sh
+++ b/t/t0066-dir-iterator.sh
@ -109,7 +109,9 @@ test_expect_success SYMLINKS 'setup dirs with symlinks' '
 	mkdir -p dir5/a/c &&
 	ln -s ../c dir5/a/b/d &&
 	ln -s ../ dir5/a/b/e &&
-	ln -s ../../ dir5/a/b/f
+	ln -s ../../ dir5/a/b/f &&
+
+	ln -s dir4 dir6
 '

 test_expect_success SYMLINKS 'dir-iterator should not follow symlinks by default' '
@ -145,4 +147,27 @@ test_expect_success SYMLINKS 'dir-iterator should follow symlinks w/ follow flag
 	test_cmp expected-follow-sorted-output actual-follow-sorted-output
 '

+test_expect_success SYMLINKS 'dir-iterator does not resolve top-level symlinks' '
+	test_must_fail test-tool dir-iterator ./dir6 >out &&
+
+	grep "ENOTDIR" out
+'
+
+test_expect_success SYMLINKS 'dir-iterator resolves top-level symlinks w/ follow flag' '
+	cat >expected-follow-sorted-output <<-EOF &&
+	[d] (a) [a] ./dir6/a
+	[d] (a/f) [f] ./dir6/a/f
+	[d] (a/f/c) [c] ./dir6/a/f/c
+	[d] (b) [b] ./dir6/b
+	[d] (b/c) [c] ./dir6/b/c
+	[f] (a/d) [d] ./dir6/a/d
+	[f] (a/e) [e] ./dir6/a/e
+	EOF
+
+	test-tool dir-iterator --follow-symlinks ./dir6 >out &&
+	sort out >actual-follow-sorted-output &&
+
+	test_cmp expected-follow-sorted-output actual-follow-sorted-output
+'
+
 test_done
--- a/t/t1300-config.sh
+++ b/t/t1300-config.sh
@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' '
 	test_must_fail git config --rename-section branch.zwei "bogus name"
 '

+test_expect_success 'renaming a section with a long line' '
+	{
+		printf "[b]\\n" &&
+		printf "  c = d %1024s [a] e = f\\n" " " &&
+		printf "[a] g = h\\n"
+	} >y &&
+	git config -f y --rename-section a xyz &&
+	test_must_fail git config -f y b.e
+'
+
+test_expect_success 'renaming an embedded section with a long line' '
+	{
+		printf "[b]\\n" &&
+		printf "  c = d %1024s [a] [foo] e = f\\n" " " &&
+		printf "[a] g = h\\n"
+	} >y &&
+	git config -f y --rename-section a xyz &&
+	test_must_fail git config -f y foo.e
+'
+
+test_expect_success 'renaming a section with an overly-long line' '
+	{
+		printf "[b]\\n" &&
+		printf "  c = d %525000s e" " " &&
+		printf "[a] g = h\\n"
+	} >y &&
+	test_must_fail git config -f y --rename-section a xyz 2>err &&
+	grep "refusing to work with overly long line in .y. on line 2" err
+'
+
 cat >> .git/config << EOF
  [branch "zwei"] a = 1 [branch "vier"]
 EOF
--- a/t/t4115-apply-symlink.sh
+++ b/t/t4115-apply-symlink.sh
@ -44,4 +44,100 @@ test_expect_success 'apply --index symlink patch' '

 '

+test_expect_success 'symlink setup' '
+	ln -s .git symlink &&
+	git add symlink &&
+	git commit -m "add symlink"
+'
+
+test_expect_success SYMLINKS 'symlink escape when creating new files' '
+	test_when_finished "git reset --hard && git clean -dfx" &&
+
+	cat >patch <<-EOF &&
+	diff --git a/symlink b/renamed-symlink
+	similarity index 100%
+	rename from symlink
+	rename to renamed-symlink
+	--
+	diff --git /dev/null b/renamed-symlink/create-me
+	new file mode 100644
+	index 0000000..039727e
+	--- /dev/null
+	+++ b/renamed-symlink/create-me
+	@@ -0,0 +1,1 @@
+	+busted
+	EOF
+
+	test_must_fail git apply patch 2>stderr &&
+	cat >expected_stderr <<-EOF &&
+	error: affected file ${SQ}renamed-symlink/create-me${SQ} is beyond a symbolic link
+	EOF
+	test_cmp expected_stderr stderr &&
+	! test_path_exists .git/create-me
+'
+
+test_expect_success SYMLINKS 'symlink escape when modifying file' '
+	test_when_finished "git reset --hard && git clean -dfx" &&
+	touch .git/modify-me &&
+
+	cat >patch <<-EOF &&
+	diff --git a/symlink b/renamed-symlink
+	similarity index 100%
+	rename from symlink
+	rename to renamed-symlink
+	--
+	diff --git a/renamed-symlink/modify-me b/renamed-symlink/modify-me
+	index 1111111..2222222 100644
+	--- a/renamed-symlink/modify-me
+	+++ b/renamed-symlink/modify-me
+	@@ -0,0 +1,1 @@
+	+busted
+	EOF
+
+	test_must_fail git apply patch 2>stderr &&
+	cat >expected_stderr <<-EOF &&
+	error: renamed-symlink/modify-me: No such file or directory
+	EOF
+	test_cmp expected_stderr stderr &&
+	test_must_be_empty .git/modify-me
+'
+
+test_expect_success SYMLINKS 'symlink escape when deleting file' '
+	test_when_finished "git reset --hard && git clean -dfx && rm .git/delete-me" &&
+	touch .git/delete-me &&
+
+	cat >patch <<-EOF &&
+	diff --git a/symlink b/renamed-symlink
+	similarity index 100%
+	rename from symlink
+	rename to renamed-symlink
+	--
+	diff --git a/renamed-symlink/delete-me b/renamed-symlink/delete-me
+	deleted file mode 100644
+	index 1111111..0000000 100644
+	EOF
+
+	test_must_fail git apply patch 2>stderr &&
+	cat >expected_stderr <<-EOF &&
+	error: renamed-symlink/delete-me: No such file or directory
+	EOF
+	test_cmp expected_stderr stderr &&
+	test_path_is_file .git/delete-me
+'
+
+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
+	test_when_finished "git reset --hard && git clean -dfx" &&
+
+	test_commit file &&
+	echo modified >file.t &&
+	git diff -- file.t >patch &&
+	echo modified-again >file.t &&
+
+	ln -s foo file.t.rej &&
+	test_must_fail git apply patch --reject 2>err &&
+	test_i18ngrep "Rejected hunk" err &&
+	test_path_is_missing foo &&
+	test_path_is_file file.t.rej
+'
+
 test_done
--- a/t/t5604-clone-reference.sh
+++ b/t/t5604-clone-reference.sh
@ -344,4 +344,20 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje
 	test_must_be_empty T--shared.objects-symlinks.raw
 '

+test_expect_success SYMLINKS 'clone repo with symlinked objects directory' '
+	test_when_finished "rm -fr sensitive malicious" &&
+
+	mkdir -p sensitive &&
+	echo "secret" >sensitive/file &&
+
+	git init malicious &&
+	rm -fr malicious/.git/objects &&
+	ln -s "$(pwd)/sensitive" ./malicious/.git/objects &&
+
+	test_must_fail git clone --local malicious clone 2>err &&
+
+	test_path_is_missing clone &&
+	grep "failed to start iterator over" err
+'
+
 test_done
--- a/t/t5619-clone-local-ambiguous-transport.sh
+++ b/t/t5619-clone-local-ambiguous-transport.sh
@ -0,0 +1,70 @@
+#!/bin/sh
+
+test_description='test local clone with ambiguous transport'
+
+. ./test-lib.sh
+. "$TEST_DIRECTORY/lib-httpd.sh"
+
+if ! test_have_prereq SYMLINKS
+then
+	skip_all='skipping test, symlink support unavailable'
+	test_done
+fi
+
+start_httpd
+
+REPO="$HTTPD_DOCUMENT_ROOT_PATH/sub.git"
+URI="$HTTPD_URL/dumb/sub.git"
+
+test_expect_success 'setup' '
+	mkdir -p sensitive &&
+	echo "secret" >sensitive/secret &&
+
+	git init --bare "$REPO" &&
+	test_commit_bulk -C "$REPO" --ref=main 1 &&
+
+	git -C "$REPO" update-ref HEAD main &&
+	git -C "$REPO" update-server-info &&
+
+	git init malicious &&
+	(
+		cd malicious &&
+
+		git submodule add "$URI" &&
+
+		mkdir -p repo/refs &&
+		touch repo/refs/.gitkeep &&
+		printf "ref: refs/heads/a" >repo/HEAD &&
+		ln -s "$(cd .. && pwd)/sensitive" repo/objects &&
+
+		mkdir -p "$HTTPD_URL/dumb" &&
+		ln -s "../../../.git/modules/sub/../../../repo/" "$URI" &&
+
+		git add . &&
+		git commit -m "initial commit"
+	) &&
+
+	# Delete all of the references in our malicious submodule to
+	# avoid the client attempting to checkout any objects (which
+	# will be missing, and thus will cause the clone to fail before
+	# we can trigger the exploit).
+	git -C "$REPO" for-each-ref --format="delete %(refname)" >in &&
+	git -C "$REPO" update-ref --stdin <in &&
+	git -C "$REPO" update-server-info
+'
+
+test_expect_success 'ambiguous transport does not lead to arbitrary file-inclusion' '
+	git clone malicious clone &&
+	test_must_fail git -C clone submodule update --init 2>err &&
+
+	test_path_is_missing clone/.git/modules/sub/objects/secret &&
+	# We would actually expect "transport .file. not allowed" here,
+	# but due to quirks of the URL detection in Git, we mis-parse
+	# the absolute path as a bogus URL and die before that step.
+	#
+	# This works for now, and if we ever fix the URL detection, it
+	# is OK to change this to detect the transport error.
+	grep "protocol .* is not supported" err
+'
+
+test_done