Restore /usr/share/doc/contrib/diff-highlight/diff-highlight

Bug #1713690 reported by Dan Watkins on 2017-08-29
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
git (Debian)
New
Unknown
git (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[ SRU Verification ]
This is just a papercut, but diff-highlight was shipped built in the past (including in xenial), so dropping it in bionic was a regression.

[ Regression Potential ]
None, this is just shipping a built perl script in doc.

[ Test Case ]
Check that the file is now shipped and works when specified in the [pager] section as shown in the bug report.

[ Original Report ]
This was removed in my most recent upgrade on artful, 1:2.11.0-4 -> 1:2.14.1-1ubuntu3.

This is particularly frustrating as it caused a bunch of git operations to start erroring for me, as I have the following in my .gitconfig:

[pager]
 diff = perl /usr/share/doc/git/contrib/diff-highlight/diff-highlight | less
 log = perl /usr/share/doc/git/contrib/diff-highlight/diff-highlight | less
 show = perl /usr/share/doc/git/contrib/diff-highlight/diff-highlight | less

CVE References

Dan Watkins (daniel-thewatkins) wrote :

(Filing this in Ubuntu even though it's being tracked in Debian, because I think this will be a papercut for a number of users if it ends up in artful.)

Dan Watkins (daniel-thewatkins) wrote :

https://github.com/git/git/commit/0c977dbc8180892af42d7ab9235fd3e51d6c4078 introduced the need to run the diff-highlight Makefile to build diff-highlight.

Changed in git (Debian):
status: Unknown → New
tags: added: artful
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in git (Ubuntu):
status: New → Confirmed
Adam Conrad (adconrad) on 2018-09-20
description: updated
description: updated

Hello Dan, or anyone else affected,

Accepted git into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in git (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Adam Conrad (adconrad) on 2018-09-20
Changed in git (Ubuntu):
status: Confirmed → Fix Committed
Steve Beattie (sbeattie) wrote :

Hi, I can confirm that the version in bionic-proposed (1:2.17.1-1ubuntu0.2) adds back the /usr/share/doc/git/contrib/diff-highlight/diff-highlight to the git package.

I am currently working on a security update for git to address CVE-2018-17456, and for bionic the security update will be based off of the version in bionic-proposed. (That update has been uploaded to the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.17.1-1ubuntu0.3

---------------
git (1:2.17.1-1ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via submodule URLs and
    paths in .gitsubmodules.
    - 0001-submodule-helper-use-to-signal-end-of-clone-options.patch,
      0002-submodule-config-ban-submodule-urls-that-start-with-.patch,
      0003-submodule-config-ban-submodule-paths-that-start-with.patch:
      disallow urls and files that begin with '--'.
    - 0004-fsck-detect-submodule-urls-starting-with-dash.patch,
      0005-fsck-detect-submodule-paths-starting-with-dash.patch:
      reject gitmodules that contain submdule urls and files that begin
      with '--'.
    - CVE-2018-17456

git (1:2.17.1-1ubuntu0.2) bionic; urgency=medium

  * Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)

 -- Steve Beattie <email address hidden> Fri, 05 Oct 2018 16:27:58 -0700

Changed in git (Ubuntu Bionic):
status: Fix Committed → Fix Released
Georgi Georgiev (chutz) wrote :

Any reason why the executable bit of diff-highlight is stripped?

If I run `sudo make -B -C /usr/share/doc/git/contrib/diff-highlight diff-highlight` the generated file is executable, but the one shipped with the package is not.

On Fri, Oct 12, 2018 at 07:18:51AM -0000, Georgi Georgiev wrote:
> Any reason why the executable bit of diff-highlight is stripped?
>
> If I run `sudo make -B -C /usr/share/doc/git/contrib/diff-highlight
> diff-highlight` the generated file is executable, but the one shipped
> with the package is not.

My configuration has been the following for a while (albeit commented
out due to this bug), which suggests that it wasn't previously
executable (and also demonstrates how to use it regardless :):

[pager]
 diff = perl /usr/share/doc/git/contrib/diff-highlight/diff-highlight.perl | less
 log = perl /usr/share/doc/git/contrib/diff-highlight/diff-highlight.perl | less
 show = perl /usr/share/doc/git/contrib/diff-highlight/diff-highlight.perl | less

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.19.1-1ubuntu1

---------------
git (1:2.19.1-1ubuntu1) cosmic; urgency=medium

  * Merge with Debian; remaining changes:
    - debian/control: build against pcre v3 only
    - debian/rules: s390x libpcre3 library has JIT disabled, set
      NO_LIBPCRE1_JIT on that arch to stop the build from failing.
    - Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)

git (1:2.19.1-1) unstable; urgency=high

  * new upstream point release (see RelNotes/2.19.1.txt,
    CVE-2018-17456).

 -- Jeremy Bicha <email address hidden> Fri, 05 Oct 2018 18:15:54 -0400

Changed in git (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.