Pullup ticket #5646 - requested by he

devel/git-base: security fix

Revisions pulled up:
- devel/git-base/Makefile                                       1.46
- devel/git-base/distinfo                                       1.71-1.72
- devel/git/Makefile.version                                    1.62-1.63

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Sep 27 06:37:47 UTC 2017

   Modified Files:
   	pkgsrc/devel/git: Makefile.version
   	pkgsrc/devel/git-base: Makefile distinfo

   Log Message:
   git: update to 2.14.2

   Fixes since v2.14.1

    * Because recent Git for Windows do come with a real msgfmt, the
      build procedure for git-gui has been updated to use it instead of a
      hand-rolled substitute.

    * "%C(color name)" in the pretty print format always produced ANSI
      color escape codes, which was an early design mistake.  They now
      honor the configuration (e.g. "color.ui = never") and also tty-ness
      of the output medium.

    * The http.{sslkey,sslCert} configuration variables are to be
      interpreted as a pathname that honors "~[username]/" prefix, but
      weren't, which has been fixed.

    * Numerous bugs in walking of reflogs via "log -g" and friends have
      been fixed.

    * "git commit" when seeing an totally empty message said "you did not
      edit the message", which is clearly wrong.  The message has been
      corrected.

    * When a directory is not readable, "gitweb" fails to build the
      project list.  Work this around by skipping such a directory.

    * A recently added test for the "credential-cache" helper revealed
      that EOF detection done around the time the connection to the cache
      daemon is torn down were flaky.  This was fixed by reacting to
      ECONNRESET and behaving as if we got an EOF.

    * Some versions of GnuPG fail to kill gpg-agent it auto-spawned
      and such a left-over agent can interfere with a test.  Work it
      around by attempting to kill one before starting a new test.

    * "git log --tag=no-such-tag" showed log starting from HEAD, which
      has been fixed---it now shows nothing.

    * The "tag.pager" configuration variable was useless for those who
      actually create tag objects, as it interfered with the use of an
      editor.  A new mechanism has been introduced for commands to enable
      pager depending on what operation is being carried out to fix this,
      and then "git tag -l" is made to run pager by default.

    * "git push --recurse-submodules $there HEAD:$target" was not
      propagated down to the submodules, but now it is.

    * Commands like "git rebase" accepted the --rerere-autoupdate option
      from the command line, but did not always use it.  This has been
      fixed.

    * "git clone --recurse-submodules --quiet" did not pass the quiet
      option down to submodules.

    * "git am -s" has been taught that some input may end with a trailer
      block that is not Signed-off-by: and it should refrain from adding
      an extra blank line before adding a new sign-off in such a case.

    * "git svn" used with "--localtime" option did not compute the tz
      offset for the timestamp in question and instead always used the
      current time, which has been corrected.

    * Memory leaks in a few error codepaths have been plugged.

    * bash 4.4 or newer gave a warning on NUL byte in command
      substitution done in "git stash"; this has been squelched.

    * "git grep -L" and "git grep --quiet -L" reported different exit
      codes; this has been corrected.

    * When handshake with a subprocess filter notices that the process
      asked for an unknown capability, Git did not report what program
      the offending subprocess was running.  This has been corrected.

    * "git apply" that is used as a better "patch -p1" failed to apply a
      taken from a file with CRLF line endings to a file with CRLF line
      endings.  The root cause was because it misused convert_to_git()
      that tried to do "safe-crlf" processing by looking at the index
      entry at the same path, which is a nonsense---in that mode, "apply"
      is not working on the data in (or derived from) the index at all.
      This has been fixed.

    * Killing "git merge --edit" before the editor returns control left
      the repository in a state with MERGE_MSG but without MERGE_HEAD,
      which incorrectly tells the subsequent "git commit" that there was
      a squash merge in progress.  This has been fixed.

    * "git archive" did not work well with pathspecs and the
      export-ignore attribute.

    * "git cvsserver" no longer is invoked by "git daemon" by default,
      as it is old and largely unmaintained.

    * Various Perl scripts did not use safe_pipe_capture() instead of
      backticks, leaving them susceptible to end-user input.  They have
      been corrected.

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Tue Oct 24 06:43:24 UTC 2017

   Modified Files:
   	pkgsrc/devel/git: Makefile.version
   	pkgsrc/devel/git-base: distinfo

   Log Message:
   git: updated to 2.14.3

   Git v2.14.3 Release Notes

   Fixes since v2.14.2

    * A helper function to read a single whole line into strbuf
      mistakenly triggered OOM error at EOF under certain conditions,
      which has been fixed.

    * In addition to "cc: <a@dd.re.ss> # cruft", "cc: a@dd.re.ss # cruft"
      was taught to "git send-email" as a valid way to tell it that it
      needs to also send a carbon copy to <a@dd.re.ss> in the trailer
      section.

    * Fix regression to "gitk --bisect" by a recent update.

    * Unlike "git commit-tree < file", "git commit-tree -F file" did not
      pass the contents of the file verbatim and instead completed an
      incomplete line at the end, if exists.  The latter has been updated
      to match the behaviour of the former.

    * "git archive", especially when used with pathspec, stored an empty
      directory in its output, even though Git itself never does so.
      This has been fixed.

    * API error-proofing which happens to also squelch warnings from GCC.

    * "git gc" tries to avoid running two instances at the same time by
      reading and writing pid/host from and to a lock file; it used to
      use an incorrect fscanf() format when reading, which has been
      corrected.

    * The test linter has been taught that we do not like "echo -e".

    * Code cmp.std.c nitpick.

    * "git describe --match" learned to take multiple patterns in v2.13
      series, but the feature ignored the patterns after the first one
      and did not work at all.  This has been fixed.

    * "git cat-file --textconv" started segfaulting recently, which
      has been corrected.

    * The built-in pattern to detect the "function header" for HTML did
      not match <H1>..<H6> elements without any attributes, which has
      been fixed.

    * "git mailinfo" was loose in decoding quoted printable and produced
      garbage when the two letters after the equal sign are not
      hexadecimal.  This has been fixed.

    * The documentation for '-X<option>' for merges was misleadingly
      written to suggest that "-s theirs" exists, which is not the case.

    * Spell the name of our system as "Git" in the output from
      request-pull script.

    * Fixes for a handful memory access issues identified by valgrind.

    * Backports a moral equivalent of 2015 fix to the poll emulation from
      the upstream gnulib to fix occasional breakages on HPE NonStop.

    * In the "--format=..." option of the "git for-each-ref" command (and
      its friends, i.e. the listing mode of "git branch/tag"), "%(atom:)"
      (e.g. "%(refname:)", "%(body:)" used to error out.  Instead, treat
      them as if the colon and an empty string that follows it were not
      there.

    * Users with "color.ui = always" in their configuration were broken
      by a recent change that made plumbing commands to pay attention to
      them as the patch created internally by "git add -p" were colored
      (heh) and made unusable.  This has been fixed.

    * "git branch -M a b" while on a branch that is completely unrelated
      to either branch a or branch b misbehaved when multiple worktree
      was in use.  This has been fixed.

    * "git fast-export" with -M/-C option issued "copy" instruction on a
      path that is simultaneously modified, which was incorrect.

    * The checkpoint command "git fast-import" did not flush updates to
      refs and marks unless at least one object was created since the
      last checkpoint, which has been corrected, as these things can
      happen without any new object getting created.

    * The scripts to drive TravisCI has been reorganized and then an
      optimization to avoid spending cycles on a branch whose tip is
      tagged has been implemented.

    * "git fetch <there> <src>:<dst>" allows an object name on the <src>
      side when the other side accepts such a request since Git v2.5, but
      the documentation was left stale.

    * A regression in 2.11 that made the code to read the list of
      alternate object stores overrun the end of the string has been
      fixed.

   Also contains various documentation updates and code clean-ups.

3 files changed, 8 insertions, 9 deletions

diff --git a/devel/git-base/Makefile b/devel/git-base/Makefile
index 637e53f95d1..159b4ae5716 100644
--- a/devel/git-base/Makefile
+++ b/devel/git-base/Makefile
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.45 2017/08/24 20:03:10 adam Exp $
+# $NetBSD: Makefile,v 1.45.4.1 2017/11/25 08:49:05 bsiegert Exp $
 
-PKGREVISION= 2
 .include "../../devel/git/Makefile.common"
 
 PKGNAME=	git-base-${GIT_VERSION}
diff --git a/devel/git-base/distinfo b/devel/git-base/distinfo
index 31f7f0c2078..51d9f8751cf 100644
--- a/devel/git-base/distinfo
+++ b/devel/git-base/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.70 2017/08/12 22:05:15 adam Exp $
+$NetBSD: distinfo,v 1.70.4.1 2017/11/25 08:49:05 bsiegert Exp $
 
-SHA1 (git-2.14.1.tar.xz) = 33af2185b1a99ea6581f270d0bb497ca1ca015a8
-RMD160 (git-2.14.1.tar.xz) = 20883121f8b167d52cd54107e78a9d8a0a7502a9
-SHA512 (git-2.14.1.tar.xz) = bee35ad9c6a0d0588045ec2fe5f6987cb1eeb3961cdf33cd9b51ae52017969131ea4ec09908f9b30944f85b0daa99614fb42c248c9c8dac5f21a90e2866c33b4
-Size (git-2.14.1.tar.xz) = 4791876 bytes
+SHA1 (git-2.14.3.tar.xz) = 47f7889ff046cbd37a4aeb20c8e65f2f19df9b14
+RMD160 (git-2.14.3.tar.xz) = f88e0b91da03e8475dbf5550bbc1d4b826d536cd
+SHA512 (git-2.14.3.tar.xz) = e32e9ff904cbc2a77d78ca08953e3b69ac527c333a898dd053806e3d7e684ad4ae153ae7663b7ff9c16e2414c3189878a2e6c95fe9320b4af6cb1e7fa5102643
+Size (git-2.14.3.tar.xz) = 4802252 bytes
 SHA1 (patch-aa) = a58f3c2f45c1fbafd751d10b9ef34e6c9afc2c6f
 SHA1 (patch-ac) = e5d2112d158fe493a89b244a10d2e4b998a23d98
 SHA1 (patch-ae) = 9bc2e6c7f0a8fbc385b6ffda638d3245a62dc5ca
diff --git a/devel/git/Makefile.version b/devel/git/Makefile.version
index cc7f509ba91..906ec8b7441 100644
--- a/devel/git/Makefile.version
+++ b/devel/git/Makefile.version
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.61 2017/08/12 22:05:15 adam Exp $
+# $NetBSD: Makefile.version,v 1.61.4.1 2017/11/25 08:49:05 bsiegert Exp $
 #
 # used by devel/git/Makefile.common
 # used by devel/git-cvs/Makefile
 # used by devel/git-svn/Makefile
 
-GIT_VERSION=	2.14.1
+GIT_VERSION=	2.14.3