This issue has been addressed in the current versions of the git
package, present in Fedora -testing repository (git-1.7.2-1.fc1{2,3,4}).

Created cgit tracking bugs for this issue

Affects: fedora-all [bug 637953]

This affects the current version of cgit as found in Fedora.  Upstream has released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct this issue:

http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

(I'm not sure if it's possible to make cgit use the system git, but it should probably be explored).

(In reply to comment #4)
> This affects the current version of cgit as found in Fedora.  Upstream has
> released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct
> this issue:
> 
> http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

I saw the cgit announcement earlier.  I will update cgit tonight or tomorrow morning.

> (I'm not sure if it's possible to make cgit use the system git, but it should
> probably be explored).

This was discussed prior to introducing cgit in Fedora and it's not something we can do.  Git doesn't provide any library interface.  Cgit would have to be incorporated into git or git would have to grow a stable library interface.  Neither of which seem imminent, unfortunately.  Eventually, libgit2 may reach a point where it can be used, but that also isn't near-term.

I applied the 2 line patch to git rather that bump cgit from 0.8.2.1 to 0.8.3.4 to fix this issue in F-1{2..4} and EL-{5,6}.  That way I can update to 0.8.3.4 and let it receive some time in updates-testing without keeping users vulnerable.

Thanks for that, Todd.  And for the explanation as well.  Makes sense, but we'll have to keep this in mind for future git issues that come up as well.

Yes, indeed.  It's certainly a less than ideal situation, for exactly this sort of issue.

And thank you for helping keep us more secure.