From 5e0d5ea0aac9e145fd835b59d826012b2d328db3 Mon Sep 17 00:00:00 2001 From: fly_fzc <2385803914@qq.com> Date: Mon, 22 Sep 2025 15:14:01 +0800 Subject: [PATCH] config.mak.uname: set CSPRNG_METHOD to getrandom on Linux (cherry picked from commit 49df65e7fc59ba8b8d8f7ae0bf03c350e05e9eaf) --- ...-set-CSPRNG_METHOD-to-getrandom-on-L.patch | 64 +++++++++++++++++++ git.spec | 10 ++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 backport-config.mak.uname-set-CSPRNG_METHOD-to-getrandom-on-L.patch diff --git a/backport-config.mak.uname-set-CSPRNG_METHOD-to-getrandom-on-L.patch b/backport-config.mak.uname-set-CSPRNG_METHOD-to-getrandom-on-L.patch new file mode 100644 index 0000000..61bb8c9 --- /dev/null +++ b/backport-config.mak.uname-set-CSPRNG_METHOD-to-getrandom-on-L.patch @@ -0,0 +1,64 @@ +From cdda67de0316ec29dfc1e290bb7f2154b7b95ee8 Mon Sep 17 00:00:00 2001 +From: Ramsay Jones +Date: Thu, 17 Apr 2025 00:18:34 +0100 +Subject: [PATCH] config.mak.uname: set CSPRNG_METHOD to getrandom on Linux + +Commit 05cd988dce ("wrapper: add a helper to generate numbers from a +CSPRNG", 2022-01-17) added a csprng_bytes() function which used one +of several interfaces to provide a source of cryptographically secure +pseudorandom numbers. The CSPRNG_METHOD make variable was provided to +determine the choice of available 'backends' for the source of random +bytes. + +Commit 05cd988dce did not set CSPRNG_METHOD in the Linux section of +the config.mak.uname file, so it defaults to using '/dev/urandom' as +the source of random bytes. The 'backend' values which could be used +on Linux are 'arc4random', 'getrandom' or 'getentropy' ('openssl' is +an option, but seems to be discouraged). + +The arc4random routines (arc4random_buf() is the one actually used) were +added to glibc in version 2.36, while both getrandom() and getentropy() +were included in 2.25. So, some of the more up-to-date distributions of +Linux (eg Debian 12, Ubuntu 24.04) would be able to use the 'arc4random' +setting. All currently supported distributions have glibc 2.25 or later +(RHEL 8 has v2.28) and, therefore, have support for the 'getrandom' and +'getentropy' settings. + +The arc4random routines on the *BSDs (along with cygwin) implement the +ChaCha20 stream cipher algorithm (see RFC8439) in userspace, rather than +as a system call, and are thus somewhat faster (having avoided a context +switch to the kernel). In contrast, on Linux all three functions are +simple wrappers around the same kernel CSPRNG syscall. + +If the meson build system is used on a newer platform, then they will be +configured to use 'arc4random', whereas the make build will currently +default to using '/dev/urandom' on Linux. Since there is no advantage, +in terms of performance, to the 'arc4random' setting, the 'getrandom' +setting should be preferred from an availability perspective. (Also, the +current uses of csprng_bytes() are not in any hot path). + +In order to set an appropriate default, set the CSPRNG_METHOD build +variable to 'getrandom' in the Linux section of the 'config.mak.uname' +file. + +Signed-off-by: Ramsay Jones +Signed-off-by: Junio C Hamano +--- + config.mak.uname | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/config.mak.uname b/config.mak.uname +index 330741eb5a..db22a8fb31 100644 +--- a/config.mak.uname ++++ b/config.mak.uname +@@ -50,6 +50,7 @@ ifeq ($(uname_S),OSF1) + ifeq ($(uname_S),Linux) + HAVE_ALLOCA_H = YesPlease + NO_STRLCPY = YesPlease ++ CSPRNG_METHOD = getrandom + HAVE_PATHS_H = YesPlease + LIBC_CONTAINS_LIBINTL = YesPlease + HAVE_DEV_TTY = YesPlease +-- +2.33.0 + diff --git a/git.spec b/git.spec index e6e5458..1046242 100644 --- a/git.spec +++ b/git.spec @@ -1,7 +1,7 @@ %global gitexecdir %{_libexecdir}/git-core Name: git Version: 2.43.0 -Release: 9 +Release: 10 Summary: A popular and widely used Version Control System License: GPLv2+ or LGPLv2.1 URL: https://git-scm.com/ @@ -28,6 +28,7 @@ Patch12: backport-CVE-2025-48384-config-quote-values-containing-CR-character. Patch13: backport-CVE-2025-48385-bundle-uri-fix-arbitrary-file-writes-via-parameter-i.patch Patch14: backport-CVE-2025-48386-wincred-avoid-buffer-overflow-in-wcsncat.patch Patch15: backport-CVE-2025-27613-CVE-2025-27614-CVE-2025-46334-CVE-2025-46835.patch +Patch16: backport-config.mak.uname-set-CSPRNG_METHOD-to-getrandom-on-L.patch BuildRequires: gcc gettext BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre2-devel desktop-file-utils @@ -312,6 +313,13 @@ make %{?_smp_mflags} test %{_mandir}/man7/git*.7.* %changelog +* Mon Sep 22 2025 fuanan - 2.43.0-10 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport upstream patch + config.mak.uname: set CSPRNG_METHOD to getrandom on Linux + * Wed Jul 9 2025 fuanan - 2.43.0-9 - Type:CVE - ID:CVE-2025-27613 CVE-2025-27614 CVE-2025-46334 CVE-2025-46835 -- Gitee