-
|
Hi @Byron , I am working on fixing the CVE-2022-24439 on our source code. Our product is currently having python3-git with 3.1.27 version. As I got to know that #1521 PR is fixing the CVE-2022-24439 so, started backporting the patches. But, after applying patches observed that in our python3-git source code there is no "test/" directory available and due to which patches are failing to apply. Later on found that there no test/ directory in original tarball downloaded from this https://files.pythonhosted.org/packages/source/G/GitPython/GitPython-3.1.27.tar.gz Could you please tell me if I can ignore the changes in test/ directory & apply the patches then, will it fix the CVE-2022-24439 issue ? If not then how to fix this CVE-2022-24439 in this source code where test/ directory is not at available ? Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 7 replies
-
|
You should be good ignoring the changes to tests, make also sure to apply the changes from #1518. |
Beta Was this translation helpful? Give feedback.
-
|
@stsewd Could you please check these patches & confirm if these patches will be able to fix the CVE-2022-24439 ? |
Beta Was this translation helpful? Give feedback.
-
|
Hi there, I've been busy, took a quick look and patches look okay. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
@nrpt-m - In line 294 of your PR1521 patch I think there's an indentation error (breaking line 700 of remote.py): the "url = Git.polish_url(url)" is indented one space too far. Noticed this over in yocto/poky where the patches have been recently merged into Kirkstone. Will you follow up there or should I? |
Beta Was this translation helpful? Give feedback.
-
|
@philsuth, Thanks for your sharp observations. It would be great help if you could follow up there. |
Beta Was this translation helpful? Give feedback.
You should be good ignoring the changes to tests, make also sure to apply the changes from #1518.