git's CVE-2022-39253 fix breaks CMake's test suite
Git's recent CVE seems to break CMake's test suite, specifically CTestUpdateGIT. Somewhere in this code:
Output:
207/616 Test #211: CTest.UpdateGIT ...................................***Failed 0.16 sec
Using GIT tools:
git = /usr/local/bin/git
Creating test directory...
Detected default branch name 'master'
Creating repository...
Creating submodule...
Importing content...
CMake Error at /project/CMake-src/Tests/CTestUpdateCommon.cmake:13 (message):
Child failed (128), output is
Cloning into '/project/_skbuild/linux-x86_64-3.9/cmake-build/CMakeProject-build/Tests/CTest UpdateGIT/import/module'...
fatal: transport 'file' not allowed
fatal: clone of '/project/_skbuild/linux-x86_64-3.9/cmake-build/CMakeProject-build/Tests/CTest UpdateGIT/module.git' into submodule path '/project/_skbuild/linux-x86_64-3.9/cmake-build/CMakeProject-build/Tests/CTest UpdateGIT/import/module' failed
Command =
[WORKING_DIRECTORY;/project/_skbuild/linux-x86_64-3.9/cmake-build/CMakeProject-build/Tests/CTest
UpdateGIT/import;COMMAND;/project/_skbuild/linux-x86_64-3.9/cmake-build/CMakeProject-build/Tests/CTest
UpdateGIT/git.sh;submodule;add;../module.git;module]
Call Stack (most recent call first):
CTestUpdateGIT.cmake:104 (run_child)
I believe the fix is to add git config protocol.file.allow always
to the commands run when setting up the repo inside CTestUpdateGIT
. I think because of the custom setup that setting this globally will not work around the issue, at least I haven't managed that yet.
I believe it should show up on git >= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.1
, which is starting to show up in repos.
Currently breaking the PyPI packaging's builds here: https://github.com/scikit-build/cmake-python-distributions/pull/300 when using the latest manylinux images.