From 15f1b5f36873960d1feede7d3f545f326b0991f6 Mon Sep 17 00:00:00 2001 From: Fabian Homborg Date: Thu, 26 May 2022 09:28:49 +0200 Subject: [PATCH] Skip building version file if `git describe` fails the new perm check git had a CVE related to arbitrary code being run when you run git status and similar, and instead of doing something about those arbitrary code bits they decided to lock it down entirely. So now git will refuse to do basically anything once it detects the .git directory is owned by someone else. So, what we do is: If `git describe` failed with a status of 128, we keep an already built version file. This is an awful hack, but should help with the normal `cmake; make; sudo make install` cycle. (the only *real* way around this seems to be to not attempt to rebuild the version file at install time entirely, but I have no idea how to do that) Fixes #8973. --- build_tools/git_version_gen.sh | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/build_tools/git_version_gen.sh b/build_tools/git_version_gen.sh index 36f0c88bd..0cbd3c693 100755 --- a/build_tools/git_version_gen.sh +++ b/build_tools/git_version_gen.sh @@ -9,14 +9,26 @@ set -e # Find the fish directory as two levels up from script directory. FISH_BASE_DIR="$( cd "$( dirname "$( dirname "$0" )" )" && pwd )" DEF_VER=unknown +git_permission_failed=0 # First see if there is a version file (included in release tarballs), # then try git-describe, then default. if test -f version then VN=$(cat version) || VN="$DEF_VER" -elif ! VN=$(git -C "$FISH_BASE_DIR" describe --always --dirty 2>/dev/null); then - VN="$DEF_VER" +else + if VN=$(git -C "$FISH_BASE_DIR" describe --always --dirty 2>/dev/null); then + : + else + if test $? = 128; then + # Current git versions return status 128 + # when run in a repo owned by another user. + # Even for describe and everything. + # This occurs for `sudo make install`. + git_permission_failed=1 + fi + VN="$DEF_VER" + fi fi # If the first param is --stdout, then output to stdout and exit. @@ -30,6 +42,15 @@ fi test -n "$1" && OUTPUT_DIR=$1/ || OUTPUT_DIR= FBVF="${OUTPUT_DIR}FISH-BUILD-VERSION-FILE" +if test "$VN" = unknown && test -r "$FBVF" && test "$git_permission_failed" = 1 +then + # HACK: Git failed, so we keep the current version file. + # This helps in case you built fish as a normal user + # and then try to `sudo make install` it. + date +%s > ${OUTPUT_DIR}fish-build-version-witness.txt + exit 0 +fi + if test -r "$FBVF" then VC=$(grep -v '^#' "$FBVF" | tr -d '"' | sed -e 's/^FISH_BUILD_VERSION=//')