| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-set-defaultEditor-as-per-debian-policy.patch | Change default editor from nano to /usr/bin/editor GitHub CLI gh sets nano as the default editor. However, as per Debian Policy ยง11.4, the default editor should be /usr/bin/editor, not nano. Thanks to Jakub Wilk for the bug report. |
Anthony Fok <foka@debian.org> | not-needed | debian | vendor | 2022-05-31 |
| 0002-Skip-failed-TestHTTPClientSanitizeJSONControlCharact.patch | Skip failed TestHTTPClientSanitizeJSONControlCharactersC0 on go1.22 Go1.22 changes json encoding behavior. https://github.com/golang/go/issues/64346 |
Shengjing Zhu <zhsj@debian.org> | no | 2024-02-29 | ||
| 0003-Update-test-to-be-compatible-with-Glamour-v0.8.patch | Update test to be compatible with Glamour v0.8.0 Latest Glamour has slightly changed logic in line length / wrapping, resulting test failures due to string mismatch. Update tests and bump dependency to v0.8.0, and others to the bare minimal level as generated by `go mod tidy`. This was detected then building the GitHub cli pacakge `gh` in Debian started to fail with src:golang-github-charmbracelet-glamour 0.8.0-1. The patch in Debian omits changes to go.mod and go.sum as they are not really used in Debian for dependency management. |
=?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= <otto@kekalainen.net> | yes | debian | 2024-12-28 | |
| 0004-fix-CVE-2024-52308.patch | adding username validation to the invoker ssh server This is a fix for the gh codespace ssh and similar commands which retrieve the remote username from the running dev container on GitHub. If connecting to a malicious container image, it could trigger a remote code execution on the local system running gh by providing a username that includes additional command-line arguments to ssh. This patch adds validation to ensure that only a reasonable username is accepted from the container. |
Sarah Barili <sarahbarili@microsoft.com> | yes | debian upstream | https://github.com/cli/cli/compare/e356c69..a02f845 | 2024-12-29 |
| 0005-fix-CVE-2024-54132.patch | validate artifact name is a valid filename The command gh run download was not validating that an artifact name might be a a reserved path name of . or .. which could lead to writing files outside the expected working directory. This patch applies a patch from upstream that validates the path before downloading artifacts. Tyler McGoffin <jtmcg@github.com> |
Andy Feller <andyfeller@github.com>, | yes | debian upstream | https://github.com/cli/cli/compare/9decf1b5..cdfc12ca | 2025-01-01 |
| 0006-fix-CVE-2024-53858.patch | support secure credential pattern with submodules When cloning a repository recursively that utilized submodules, authentication tokens intended for the parent repository could be leaked to the server hosting the child submodule. This patch adds checks to ensure that only the matching server URL gets the appropriate tokens. William Martin <williammartin@github.com>, Tyler McGoffin <jtmcg@github.com> |
Andy Feller <andyfeller@github.com>, | yes | debian upstream | https://github.com/cli/cli/compare/ae87caf8..c94def8b | 2025-01-12 |
| 0007-fix-flaky-run-download-test.patch | fix flaky gh run download test Use consistent slice ordering in run download tests. The previous implementation was relying on the iteration order of a map when responding with a list of test artifacts from the fakePlatform, which resulted in flakiness. This PR makes use of a slice instead. diff --git a/pkg/cmd/run/download/download_test.go b/pkg/cmd/run/download/download_test.go index aeab2027..86766123 100644 |
William Martin <williammartin@github.com> | yes | upstream | https://github.com/cli/cli/compare/1136764c..a47b4c9f | 2025-01-12 |