Commit 95be4bb
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
chore(deps): bump dulwich from 1.1.0 to 1.2.5 in /docker/poetry in the pip group across 1 directory (#5481)
Bumps the pip group with 1 update in the /docker/poetry directory:
[dulwich](https://github.com/dulwich/dulwich).
Updates `dulwich` from 1.1.0 to 1.2.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dulwich/dulwich/releases">dulwich's
releases</a>.</em></p>
<blockquote>
<h2>dulwich 1.2.5</h2>
<p>This is a security release. All users are encouraged to upgrade.</p>
<h2>Security fixes</h2>
<ul>
<li>
<p><strong>GHSA-gfhv-vqv2-4544</strong> -- Validate submodule paths in
<code>porcelain.submodule_update</code> (and thus
<code>porcelain.clone(recurse_submodules=True)</code>). A crafted
upstream repository could carry a submodule whose path was
<code>.git/hooks</code> (or any other path inside <code>.git</code> or
above the work tree), causing the submodule's tree contents to be
written there with their executable bits intact. The dulwich analogue of
git's CVE-2024-32002 / CVE-2024-32004. (Reported by tonghuaroot)</p>
</li>
<li>
<p><strong>CVE-2026-42305</strong> -- Harden tree path validation
against entry names that are harmless on POSIX but dangerous when
checked out on Windows. <code>validate_path_element_ntfs</code> now also
rejects Windows path separators, the alternate data stream marker
<code>:</code>, NTFS 8.3 short-name aliases of <code>.git</code>, and
reserved Windows device names. <code>core.protectNTFS</code> now
defaults to true on every platform, and both
<code>core.protectNTFS</code> and <code>core.protectHFS</code> are now
read under their correct option names. (Reported by Christopher
Toth)</p>
</li>
<li>
<p><strong>CVE-2026-42563</strong> -- Shell-quote values substituted
into <code>ProcessMergeDriver</code> commands. A malicious branch could
inject shell commands when a merge driver referencing <code>%P</code>
was configured. (Reported by Ravishanker Kusuma (hayageek))</p>
</li>
<li>
<p><strong>CVE-2026-47712</strong> -- Sanitize commit subjects used in
<code>porcelain.format_patch</code> filenames so a malicious subject
(e.g. <code>x/../../x</code>) cannot direct the generated patch outside
<code>outdir</code>. (Reported by Christopher Toth)</p>
</li>
<li>
<p><strong>receive.maxInputSize</strong> -- Honour
<code>receive.maxInputSize</code> in <code>ReceivePackHandler</code>.
Previously a remote unauthenticated client could send a tiny crafted
pack that declared a huge <code>dest_size</code> and trigger hundreds of
MB of allocation over <code>git-receive-pack</code>. (Reported by Liyi,
Ziyue, Strick, Maurice and Chenchen @ University of Sydney)</p>
</li>
</ul>
<h2>dulwich-1.2.4</h2>
<p>Tolerate ref names with empty path components (e.g.
`refs/tags//v1.0`) for now, emitting a `DeprecationWarning` rather than
raising a `RefFormatError`. Such names are constructed by older Poetry
releases (fixed in Poetry 2.4.0) and were silently accepted before
Dulwich 1.2.3. `local_branch_name`, `local_tag_name` and
`local_replace_name` likewise warn about, and strip, a leading slash
instead of raising `ValueError`. Both will become errors again in a
future release. (Jelmer Vernooij, <a
href="https://redirect.github.com/dulwich/dulwich/issues/2192">#2192</a>)</p>
<h2>dulwich-1.2.1</h2>
<h2>Changes since 1.2.0</h2>
<ul>
<li>
<p>Derive the LFS endpoint as the remote's on-disk LFS store
(<code><remote>/.git/lfs</code> for worktrees,
<code><remote>/lfs</code> for bare repos)
when <code>remote.origin.url</code> points at a local filesystem path or
<code>file://</code> URL, matching git-lfs behaviour. Previously the
built-in
smudge filter constructed an HTTP-style
<code><remote>.git/info/lfs</code> path
that did not exist on disk, leaving LFS-tracked files as pointers
when cloning from a local repo.</p>
</li>
<li>
<p>Deduplicate objects when writing a multi-pack-index. Objects present
in multiple packs (e.g. after <code>git gc</code> creates a cruft pack)
would
otherwise produce an OIDL chunk with repeated SHAs, causing
<code>git multi-pack-index verify</code> to fail with "oid lookup
out of order".
(<a
href="https://redirect.github.com/dulwich/dulwich/issues/2152">#2152</a>)</p>
</li>
<li>
<p>Extend ignorecase and precomposeunicode support to index lookups.
(<a
href="https://redirect.github.com/dulwich/dulwich/issues/1807">#1807</a>)</p>
</li>
</ul>
<h2>1.2.0</h2>
<h2>Notable changes since 1.1.0</h2>
<h3>New features</h3>
<ul>
<li>Add <code>am</code> command and <code>porcelain.am()</code> for
applying mailbox-style email patches (<code>git am</code>), with state
persistence for <code>--continue</code>, <code>--skip</code>,
<code>--abort</code>, and <code>--quit</code> recovery (<a
href="https://redirect.github.com/dulwich/dulwich/issues/1692">#1692</a>).</li>
<li>Add <code>apply</code> command and
<code>porcelain.apply_patch()</code> for applying unified diffs,
including rename/copy detection, binary patches with Git's base85
encoding, and <code>--3way</code> merge fallback (<a
href="https://redirect.github.com/dulwich/dulwich/issues/1784">#1784</a>).</li>
<li>Expand <code>log</code> command options: <code>--oneline</code>,
<code>--abbrev-commit</code>, <code>--author</code>,
<code>--committer</code>, <code>--grep</code>,
<code>--since</code>/<code>--after</code>,
<code>--until</code>/<code>--before</code>,
<code>-n</code>/<code>--max-count</code>, <code>--no-merges</code>,
<code>--merges</code>, <code>--stat</code>,
<code>-p</code>/<code>--patch</code>, <code>--name-only</code>, and
<code>--follow</code> (<a
href="https://redirect.github.com/dulwich/dulwich/issues/1779">#1779</a>).</li>
<li>Add support for push options
(<code>-o</code>/<code>--push-option</code>) in <code>push</code>,
enabling AGit flow and other server-side push option workflows.</li>
<li>Add missing push options: <code>--all</code>, <code>--tags</code>,
<code>--delete</code>, <code>--dry-run</code>, <code>--prune</code>,
<code>--set-upstream</code>, <code>--follow-tags</code>, and
<code>--mirror</code> (<a
href="https://redirect.github.com/dulwich/dulwich/issues/1844">#1844</a>).</li>
<li>Add support for atomic push operations (<code>--atomic</code>):
either all ref updates succeed or none are applied (<a
href="https://redirect.github.com/dulwich/dulwich/issues/1781">#1781</a>).</li>
<li>Add support for <code>extensions.relativeworktrees</code> repository
extension, allowing worktrees to use relative paths (<a
href="https://redirect.github.com/dulwich/dulwich/issues/2112">#2112</a>).</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jelmer/dulwich/blob/main/NEWS">dulwich's
changelog</a>.</em></p>
<blockquote>
<p>1.2.5 2026-05-28</p>
<ul>
<li>
<p>SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in
<code>porcelain.submodule_update</code> (and thus
<code>porcelain.clone(recurse_submodules=True)</code>). A crafted
upstream
repository could carry a submodule whose path was
<code>.git/hooks</code> (or
any other path inside <code>.git</code> or above the work tree), causing
the
submodule's tree contents to be written there with their executable
bits intact -- dropping a hook that later commands would run. Submodule
paths are now rejected if they are absolute or carry a component that
the configured path validator refuses, and the submodule's own tree is
materialized with the same validator. This is the dulwich analogue of
git's
CVE-2024-32002 / CVE-2024-32004.
(Jelmer Vernooij; reported by tonghuaroot)</p>
</li>
<li>
<p>SECURITY(CVE-2026-42305): Harden tree path validation against entry
names that are harmless on POSIX but dangerous when checked out on
Windows. A crafted tree could previously carry such names through to
the work tree. <code>validate_path_element_ntfs</code> now also
rejects:</p>
<ul>
<li>Windows path separators, so an entry named
<code>.git\hooks\pre-commit.exe</code> can no longer materialize a file
inside <code>.git</code> that Git for Windows would execute.</li>
<li>The alternate data stream marker <code>:</code> (e.g.
<code>.git::$INDEX_ALLOCATION</code>, which writes into
<code>.git</code> directly).</li>
<li>NTFS 8.3 short-name aliases of <code>.git</code>
(<code>git~<digits></code>); only
<code>git~1</code> was rejected before.</li>
<li>Reserved Windows device names (<code>CON</code>, <code>PRN</code>,
<code>AUX</code>, <code>NUL</code>,
<code>COM1</code>-<code>COM9</code>,
<code>LPT1</code>-<code>LPT9</code>), including with an extension or
trailing dots/spaces such as <code>NUL.txt</code> or <code>COM1
.bar</code>.</li>
</ul>
<p>In addition, <code>core.protectNTFS</code> now defaults to true on
every
platform (matching git after CVE-2019-1353), so a POSIX clone no longer
accepts paths that would be unsafe on a later Windows clone, and both
<code>core.protectNTFS</code> and <code>core.protectHFS</code> are now
read under their
correct option names, having previously been silently ignored. POSIX
users who need literal NTFS-unsafe filenames can opt out with
<code>core.protectNTFS=false</code>.
(Jelmer Vernooij; reported by Christopher Toth)</p>
</li>
<li>
<p>SECURITY (CVE-2026-42563): Shell-quote values substituted into
<code>ProcessMergeDriver</code> commands. <code>%P</code> is a path from
the git
tree, so a malicious branch could inject shell commands when the
user had a merge driver configured that referenced <code>%P</code>.
(Jelmer Vernooij; reported by Ravishanker Kusuma (hayageek))</p>
</li>
<li>
<p>SECURITY(CVE-2026-47712): Sanitize commit subjects used in
<code>porcelain.format_patch</code> filenames so a malicious subject
(e.g.
<code>x/../../x</code>) cannot direct the generated patch outside
<code>outdir</code>.
<code>get_summary</code> now matches git's
<code>format_sanitized_subject</code>.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jelmer/dulwich/commit/073f4dfa9840af2da59887ed828b026b609faa6c"><code>073f4df</code></a>
Release 1.2.5</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/5f85d3e4b0d47dd7fbf37934f9a4b9b6b98bb467"><code>5f85d3e</code></a>
tests: fix Windows-only failures in NTFS and merge-driver tests</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/25313ad7f9d5036b03617dc3dfc284a586966dab"><code>25313ad</code></a>
Merge branch 'advisory-5'</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/1ca18147a1d03b61c2ae203c46bf0b2a2f5dd421"><code>1ca1814</code></a>
submodule: Reject unsafe submodule paths in submodule_update</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/3559ef15c1e2a8d2a56c98f36b53b29c5d60b9fd"><code>3559ef1</code></a>
Merge branch 'advisory-4'</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/f860ca489d63624ae6d7c7945fbbd19018b8125c"><code>f860ca4</code></a>
server: Honour receive.maxInputSize to bound received packs</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/0fd6e6bb61f8017b1af4b5fdbf7602ddbcf6d17e"><code>0fd6e6b</code></a>
Merge branch 'advisory-3'</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/0110b885a1ab5b2128473263a6ff5b7230732e49"><code>0110b88</code></a>
Merge branch 'advisory-2'</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290"><code>49eb56e</code></a>
Add NEWS entry for CVE-2026-42305</li>
<li><a
href="https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9"><code>57efc4a</code></a>
Merge branch 'advisory-1'</li>
<li>Additional commits viewable in <a
href="https://github.com/dulwich/dulwich/compare/dulwich-1.1.0...dulwich-1.2.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/google/osv.dev/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 5705afe commit 95be4bb
1 file changed
Lines changed: 43 additions & 37 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
287 | 287 | | |
288 | 288 | | |
289 | 289 | | |
290 | | - | |
291 | | - | |
292 | | - | |
293 | | - | |
294 | | - | |
295 | | - | |
296 | | - | |
297 | | - | |
298 | | - | |
299 | | - | |
300 | | - | |
301 | | - | |
302 | | - | |
303 | | - | |
304 | | - | |
305 | | - | |
306 | | - | |
307 | | - | |
308 | | - | |
309 | | - | |
310 | | - | |
311 | | - | |
312 | | - | |
313 | | - | |
314 | | - | |
315 | | - | |
316 | | - | |
317 | | - | |
318 | | - | |
319 | | - | |
320 | | - | |
321 | | - | |
322 | | - | |
323 | | - | |
324 | | - | |
325 | | - | |
326 | | - | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
327 | 333 | | |
328 | 334 | | |
329 | 335 | | |
| |||
0 commit comments