Cannot add submodule using file transport

Status changed to 'Confirmed' because the bug affects multiple users.

From the description, this looks like fallout from CVE-2022-39253

https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253

associated with the release of git 2.38.1 and the back port of the associated patch
to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4.

https://<email address hidden>/

From the Github blog:

"This vulnerability can be used to break security boundaries, by injecting sensitive content into a malicious Docker container, for example. This attack relies on the existence of a symbolic link inside of a repository’s $GIT_DIR/objects directory, meaning that you must either clone a malicious repository locally, or clone a malicious repository packaged as a local submodule inside of another repository."

Thanks to jpetazzo for the alert at

https://twitter.com/jpetazzo/status/1583112279012257797

Thank you @edward-vielmetti

Marking as Invalid as this is not a bug and is as intended by upstream.

> Additionally, the value of `protocol.file.allow` is changed to be "user" by default.

To use `submodule add` in the example above, run:
git -c protocol.file.allow=always submodule add /tmp/bar the_bar

https://git-scm.com/docs/git-config#Documentation/git-config.txt-protocolallow

Additional information. I've also Confirmed:

It's broken on Ubuntu 20.04 git 1:2.25.1-1ubuntu3.6
It works on Ubuntu 20.04 git 1:2.25.1-1ubuntu3

It's broken on Ubuntu 18.04 git 1:2.17.1-1ubuntu0.13
It works on Ubuntu 18.04 git 1:2.17.0-1ubuntu1

It works on Ubuntu 16.04 git 1:2.7.4-0ubuntu1.10 and 1:2.7.4-0ubuntu1

Confirmed, this does work, thanks:

git config --global protocol.file.allow always

The DEP8 tests need to be updated/changed, because they are all failing in git 2.38 in lunar currently, and I suspect the next non-security SRU for git will also trigger those in stable.

I briefly thought about hijacking this bug for the DEP8 failures, but filed https://bugs.launchpad.net/ubuntu/+source/git/+bug/1999511 instead.

For check-manifest: https://github.com/mgedmin/check-manifest/pull/161

The output is discarded in the mercurial test, but it's the same issue I believe:

--- /tmp/autopkgtest.XYKeOH/build.V3Y/src/tests/test-convert-git.t
+++ /tmp/autopkgtest.XYKeOH/build.V3Y/src/tests/test-convert-git.t.err
@@ -721,6 +721,7 @@
   $ cd git-repo6
   $ git init >/dev/null 2>/dev/null
   $ git submodule add ${BASE} >/dev/null 2>/dev/null <-----------------
+ [128]
   $ commit -a -m 'addsubmodule' >/dev/null 2>/dev/null

Mercurial fix: https://www.mercurial-scm.org/repo/hg/rev/2b658c6a9c4b

This bug was fixed in the package check-manifest - 0.46-2ubuntu1

---------------
check-manifest (0.46-2ubuntu1) lunar; urgency=medium

  * d/p/0002-fix-submodule-add-with-new-git.patch: fix the submodule
    test with newer versions of git (LP: #1993586)

 -- Andreas Hasenack <email address hidden> Sun, 18 Dec 2022 09:42:09 -0300

Mercurial was fixed upstream

This bug was fixed in the package guilt - 0.36-3

---------------
guilt (0.36-3) unstable; urgency=medium

  * QA upload.

  [ Jelmer Vernooij ]
  * Migrate repository from alioth to salsa.

  [ Simon Chopin ]
  * d/p/fix-decorate.patch: adjust the test suite for new Git behavior.
    (Closes: #1023805, LP: #1993586)
  * d/control: Bump Standards-Version to 4.6.2, no changes needed
  * Bump debhelper compat to 13
    - d/rules: remove the --parallel, now redundant
    - d/p/makefile-quote-variables.patch: fix passing Makefile variables down
    - d/control: B-D on debhelper-compat
  * d/rules, d/control: respect the nodoc build profile
  * d/tests/upstream: replace deprecated $ADTTMP by $AUTOPKGTEST_TMP

  [ Graham Inggs ]
  * d/control: Set Rules-Requires-Root: no

 -- Simon Chopin <email address hidden> Thu, 12 Jan 2023 12:37:31 +0000