From fe8662946f0704d7d4f62bd3448e9242ba33b484 Mon Sep 17 00:00:00 2001 From: LIU Hao Date: Thu, 9 Jun 2022 19:40:17 +0800 Subject: [PATCH] build: ignore errors from `git describe` Due to CVE-2022-24765, Git refuses to operate on local repositories if it runs as a different user from its owner, since version 2.35.2: lh_mouse@lhmouse-xps ~/GitHub/nano-win $ sudo git describe --tags fatal: unsafe repository ('/home/lh_mouse/GitHub/nano-win' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /home/lh_mouse/GitHub/nano-win Conventionally, a user, who wishes to build and install nano from Git, does this: $ ./configure $ make $ sudo make install The second `make` command builds the program as the current user. The third `make install` command installs built files. However, we have a recipe for 'revision.h' that is always executed, even in the case of `make install`. As here it is run as root, Git actually fails and produces an empty string. This causes `make install` to rebuild nano and result in an empty version string in the upper left corner. The solution is simple: First we attempt a dryrun of `git describe`. If it fails, 'revision.h', which should have been updated by the second `make` command, will be left intact. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-24765 Signed-off-by: LIU Hao --- src/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Makefile.am b/src/Makefile.am index a52a6a5f4..4d8f23e4e 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -16,7 +16,8 @@ winio.o: revision.h # only when the revision actually changed. revision.h: FORCE @[ -f $@ ] || touch $@ - @echo "#define $(SOMETHING)" | cmp -s $@ - || \ + @! git describe 2>/dev/null || \ + echo "#define $(SOMETHING)" | cmp -s $@ - || \ echo "#define $(SOMETHING)" > $@ FORCE: -- 2.25.1