summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-24 01:38:25 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-03 11:11:40 (GMT)
commitf98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3 (patch)
treeeaf1e0b535b1f650b15c25daef6fb3274ccedb58
parent3aa8ba185b381088f4c51d7ba48fb109f2fc679b (diff)
downloadpoky-f98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3.tar.gz
git: Security fixes CVE-2015-7545
CVE-2015-7545 git: arbitrary code execution via crafted URLs (From OE-Core rev: 0c4bdd61acbc1fa1b9bfb167d8eaf90c8bccc25c) Signed-off-by: Armin Kuster <akuster@mvista.com> Already in Jethro, not needed in master due to shipping a version of git which is already fixes (> 2.6.1) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch445
-rw-r--r--meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch113
-rw-r--r--meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch110
-rw-r--r--meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch146
-rw-r--r--meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch67
-rw-r--r--meta/recipes-devtools/git/git_2.3.0.bb7
6 files changed, 888 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch
new file mode 100644
index 0000000..6bea226
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch
@@ -0,0 +1,445 @@
1From a5adaced2e13c135d5d9cc65be9eb95aa3bacedf Mon Sep 17 00:00:00 2001
2From: Jeff King <peff@peff.net>
3Date: Wed, 16 Sep 2015 13:12:52 -0400
4Subject: [PATCH] transport: add a protocol-whitelist environment variable
5
6If we are cloning an untrusted remote repository into a
7sandbox, we may also want to fetch remote submodules in
8order to get the complete view as intended by the other
9side. However, that opens us up to attacks where a malicious
10user gets us to clone something they would not otherwise
11have access to (this is not necessarily a problem by itself,
12but we may then act on the cloned contents in a way that
13exposes them to the attacker).
14
15Ideally such a setup would sandbox git entirely away from
16high-value items, but this is not always practical or easy
17to set up (e.g., OS network controls may block multiple
18protocols, and we would want to enable some but not others).
19
20We can help this case by providing a way to restrict
21particular protocols. We use a whitelist in the environment.
22This is more annoying to set up than a blacklist, but
23defaults to safety if the set of protocols git supports
24grows). If no whitelist is specified, we continue to default
25to allowing all protocols (this is an "unsafe" default, but
26since the minority of users will want this sandboxing
27effect, it is the only sensible one).
28
29A note on the tests: ideally these would all be in a single
30test file, but the git-daemon and httpd test infrastructure
31is an all-or-nothing proposition rather than a test-by-test
32prerequisite. By putting them all together, we would be
33unable to test the file-local code on machines without
34apache.
35
36Signed-off-by: Jeff King <peff@peff.net>
37Signed-off-by: Junio C Hamano <gitster@pobox.com>
38
39Upstream-Status: Backport
40/hom://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
41CVE: CVE-2015-7545 patch #1
42Signed-off-by: Armin Kuster <akuster@mvista.com>
43
44---
45 Documentation/git.txt | 32 ++++++++++++++
46 connect.c | 5 +++
47 t/lib-proto-disable.sh | 96 ++++++++++++++++++++++++++++++++++++++++++
48 t/t5810-proto-disable-local.sh | 14 ++++++
49 t/t5811-proto-disable-git.sh | 20 +++++++++
50 t/t5812-proto-disable-http.sh | 20 +++++++++
51 t/t5813-proto-disable-ssh.sh | 20 +++++++++
52 t/t5814-proto-disable-ext.sh | 18 ++++++++
53 transport-helper.c | 2 +
54 transport.c | 21 ++++++++-
55 transport.h | 7 +++
56 11 files changed, 254 insertions(+), 1 deletion(-)
57 create mode 100644 t/lib-proto-disable.sh
58 create mode 100755 t/t5810-proto-disable-local.sh
59 create mode 100755 t/t5811-proto-disable-git.sh
60 create mode 100755 t/t5812-proto-disable-http.sh
61 create mode 100755 t/t5813-proto-disable-ssh.sh
62 create mode 100755 t/t5814-proto-disable-ext.sh
63
64Index: git-2.3.0/Documentation/git.txt
65===================================================================
66--- git-2.3.0.orig/Documentation/git.txt
67+++ git-2.3.0/Documentation/git.txt
68@@ -1023,6 +1023,38 @@ GIT_ICASE_PATHSPECS::
69 variable when it is invoked as the top level command by the
70 end user, to be recorded in the body of the reflog.
71
72+`GIT_ALLOW_PROTOCOL`::
73+ If set, provide a colon-separated list of protocols which are
74+ allowed to be used with fetch/push/clone. This is useful to
75+ restrict recursive submodule initialization from an untrusted
76+ repository. Any protocol not mentioned will be disallowed (i.e.,
77+ this is a whitelist, not a blacklist). If the variable is not
78+ set at all, all protocols are enabled. The protocol names
79+ currently used by git are:
80+
81+ - `file`: any local file-based path (including `file://` URLs,
82+ or local paths)
83+
84+ - `git`: the anonymous git protocol over a direct TCP
85+ connection (or proxy, if configured)
86+
87+ - `ssh`: git over ssh (including `host:path` syntax,
88+ `git+ssh://`, etc).
89+
90+ - `rsync`: git over rsync
91+
92+ - `http`: git over http, both "smart http" and "dumb http".
93+ Note that this does _not_ include `https`; if you want both,
94+ you should specify both as `http:https`.
95+
96+ - any external helpers are named by their protocol (e.g., use
97+ `hg` to allow the `git-remote-hg` helper)
98++
99+Note that this controls only git's internal protocol selection.
100+If libcurl is used (e.g., by the `http` transport), it may
101+redirect to other protocols. There is not currently any way to
102+restrict this.
103+
104
105 Discussion[[Discussion]]
106 ------------------------
107Index: git-2.3.0/connect.c
108===================================================================
109--- git-2.3.0.orig/connect.c
110+++ git-2.3.0/connect.c
111@@ -9,6 +9,7 @@
112 #include "url.h"
113 #include "string-list.h"
114 #include "sha1-array.h"
115+#include "transport.h"
116
117 static char *server_capabilities;
118 static const char *parse_feature_value(const char *, const char *, int *);
119@@ -674,6 +675,9 @@ struct child_process *git_connect(int fd
120 * cannot connect.
121 */
122 char *target_host = xstrdup(hostandport);
123+
124+ transport_check_allowed("git");
125+
126 if (git_use_proxy(hostandport))
127 conn = git_proxy_connect(fd, hostandport);
128 else
129@@ -704,6 +708,7 @@ struct child_process *git_connect(int fd
130 int putty;
131 char *ssh_host = hostandport;
132 const char *port = NULL;
133+ transport_check_allowed("ssh");
134 get_host_and_port(&ssh_host, &port);
135 port = get_port_numeric(port);
136
137@@ -731,6 +736,7 @@ struct child_process *git_connect(int fd
138 /* remove repo-local variables from the environment */
139 conn->env = local_repo_env;
140 conn->use_shell = 1;
141+ transport_check_allowed("file");
142 }
143 argv_array_push(&conn->args, cmd.buf);
144
145Index: git-2.3.0/t/lib-proto-disable.sh
146===================================================================
147--- /dev/null
148+++ git-2.3.0/t/lib-proto-disable.sh
149@@ -0,0 +1,96 @@
150+# Test routines for checking protocol disabling.
151+
152+# test cloning a particular protocol
153+# $1 - description of the protocol
154+# $2 - machine-readable name of the protocol
155+# $3 - the URL to try cloning
156+test_proto () {
157+ desc=$1
158+ proto=$2
159+ url=$3
160+
161+ test_expect_success "clone $1 (enabled)" '
162+ rm -rf tmp.git &&
163+ (
164+ GIT_ALLOW_PROTOCOL=$proto &&
165+ export GIT_ALLOW_PROTOCOL &&
166+ git clone --bare "$url" tmp.git
167+ )
168+ '
169+
170+ test_expect_success "fetch $1 (enabled)" '
171+ (
172+ cd tmp.git &&
173+ GIT_ALLOW_PROTOCOL=$proto &&
174+ export GIT_ALLOW_PROTOCOL &&
175+ git fetch
176+ )
177+ '
178+
179+ test_expect_success "push $1 (enabled)" '
180+ (
181+ cd tmp.git &&
182+ GIT_ALLOW_PROTOCOL=$proto &&
183+ export GIT_ALLOW_PROTOCOL &&
184+ git push origin HEAD:pushed
185+ )
186+ '
187+
188+ test_expect_success "push $1 (disabled)" '
189+ (
190+ cd tmp.git &&
191+ GIT_ALLOW_PROTOCOL=none &&
192+ export GIT_ALLOW_PROTOCOL &&
193+ test_must_fail git push origin HEAD:pushed
194+ )
195+ '
196+
197+ test_expect_success "fetch $1 (disabled)" '
198+ (
199+ cd tmp.git &&
200+ GIT_ALLOW_PROTOCOL=none &&
201+ export GIT_ALLOW_PROTOCOL &&
202+ test_must_fail git fetch
203+ )
204+ '
205+
206+ test_expect_success "clone $1 (disabled)" '
207+ rm -rf tmp.git &&
208+ (
209+ GIT_ALLOW_PROTOCOL=none &&
210+ export GIT_ALLOW_PROTOCOL &&
211+ test_must_fail git clone --bare "$url" tmp.git
212+ )
213+ '
214+}
215+
216+# set up an ssh wrapper that will access $host/$repo in the
217+# trash directory, and enable it for subsequent tests.
218+setup_ssh_wrapper () {
219+ test_expect_success 'setup ssh wrapper' '
220+ write_script ssh-wrapper <<-\EOF &&
221+ echo >&2 "ssh: $*"
222+ host=$1; shift
223+ cd "$TRASH_DIRECTORY/$host" &&
224+ eval "$*"
225+ EOF
226+ GIT_SSH="$PWD/ssh-wrapper" &&
227+ export GIT_SSH &&
228+ export TRASH_DIRECTORY
229+ '
230+}
231+
232+# set up a wrapper that can be used with remote-ext to
233+# access repositories in the "remote" directory of trash-dir,
234+# like "ext::fake-remote %S repo.git"
235+setup_ext_wrapper () {
236+ test_expect_success 'setup ext wrapper' '
237+ write_script fake-remote <<-\EOF &&
238+ echo >&2 "fake-remote: $*"
239+ cd "$TRASH_DIRECTORY/remote" &&
240+ eval "$*"
241+ EOF
242+ PATH=$TRASH_DIRECTORY:$PATH &&
243+ export TRASH_DIRECTORY
244+ '
245+}
246Index: git-2.3.0/t/t5810-proto-disable-local.sh
247===================================================================
248--- /dev/null
249+++ git-2.3.0/t/t5810-proto-disable-local.sh
250@@ -0,0 +1,14 @@
251+#!/bin/sh
252+
253+test_description='test disabling of local paths in clone/fetch'
254+. ./test-lib.sh
255+. "$TEST_DIRECTORY/lib-proto-disable.sh"
256+
257+test_expect_success 'setup repository to clone' '
258+ test_commit one
259+'
260+
261+test_proto "file://" file "file://$PWD"
262+test_proto "path" file .
263+
264+test_done
265Index: git-2.3.0/t/t5811-proto-disable-git.sh
266===================================================================
267--- /dev/null
268+++ git-2.3.0/t/t5811-proto-disable-git.sh
269@@ -0,0 +1,20 @@
270+#!/bin/sh
271+
272+test_description='test disabling of git-over-tcp in clone/fetch'
273+. ./test-lib.sh
274+. "$TEST_DIRECTORY/lib-proto-disable.sh"
275+. "$TEST_DIRECTORY/lib-git-daemon.sh"
276+start_git_daemon
277+
278+test_expect_success 'create git-accessible repo' '
279+ bare="$GIT_DAEMON_DOCUMENT_ROOT_PATH/repo.git" &&
280+ test_commit one &&
281+ git --bare init "$bare" &&
282+ git push "$bare" HEAD &&
283+ >"$bare/git-daemon-export-ok" &&
284+ git -C "$bare" config daemon.receivepack true
285+'
286+
287+test_proto "git://" git "$GIT_DAEMON_URL/repo.git"
288+
289+test_done
290Index: git-2.3.0/t/t5812-proto-disable-http.sh
291===================================================================
292--- /dev/null
293+++ git-2.3.0/t/t5812-proto-disable-http.sh
294@@ -0,0 +1,20 @@
295+#!/bin/sh
296+
297+test_description='test disabling of git-over-http in clone/fetch'
298+. ./test-lib.sh
299+. "$TEST_DIRECTORY/lib-proto-disable.sh"
300+. "$TEST_DIRECTORY/lib-httpd.sh"
301+start_httpd
302+
303+test_expect_success 'create git-accessible repo' '
304+ bare="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
305+ test_commit one &&
306+ git --bare init "$bare" &&
307+ git push "$bare" HEAD &&
308+ git -C "$bare" config http.receivepack true
309+'
310+
311+test_proto "smart http" http "$HTTPD_URL/smart/repo.git"
312+
313+stop_httpd
314+test_done
315Index: git-2.3.0/t/t5813-proto-disable-ssh.sh
316===================================================================
317--- /dev/null
318+++ git-2.3.0/t/t5813-proto-disable-ssh.sh
319@@ -0,0 +1,20 @@
320+#!/bin/sh
321+
322+test_description='test disabling of git-over-ssh in clone/fetch'
323+. ./test-lib.sh
324+. "$TEST_DIRECTORY/lib-proto-disable.sh"
325+
326+setup_ssh_wrapper
327+
328+test_expect_success 'setup repository to clone' '
329+ test_commit one &&
330+ mkdir remote &&
331+ git init --bare remote/repo.git &&
332+ git push remote/repo.git HEAD
333+'
334+
335+test_proto "host:path" ssh "remote:repo.git"
336+test_proto "ssh://" ssh "ssh://remote/$PWD/remote/repo.git"
337+test_proto "git+ssh://" ssh "git+ssh://remote/$PWD/remote/repo.git"
338+
339+test_done
340Index: git-2.3.0/t/t5814-proto-disable-ext.sh
341===================================================================
342--- /dev/null
343+++ git-2.3.0/t/t5814-proto-disable-ext.sh
344@@ -0,0 +1,18 @@
345+#!/bin/sh
346+
347+test_description='test disabling of remote-helper paths in clone/fetch'
348+. ./test-lib.sh
349+. "$TEST_DIRECTORY/lib-proto-disable.sh"
350+
351+setup_ext_wrapper
352+
353+test_expect_success 'setup repository to clone' '
354+ test_commit one &&
355+ mkdir remote &&
356+ git init --bare remote/repo.git &&
357+ git push remote/repo.git HEAD
358+'
359+
360+test_proto "remote-helper" ext "ext::fake-remote %S repo.git"
361+
362+test_done
363Index: git-2.3.0/transport-helper.c
364===================================================================
365--- git-2.3.0.orig/transport-helper.c
366+++ git-2.3.0/transport-helper.c
367@@ -1036,6 +1036,8 @@ int transport_helper_init(struct transpo
368 struct helper_data *data = xcalloc(1, sizeof(*data));
369 data->name = name;
370
371+ transport_check_allowed(name);
372+
373 if (getenv("GIT_TRANSPORT_HELPER_DEBUG"))
374 debug = 1;
375
376Index: git-2.3.0/transport.c
377===================================================================
378--- git-2.3.0.orig/transport.c
379+++ git-2.3.0/transport.c
380@@ -907,6 +907,20 @@ static int external_specification_len(co
381 return strchr(url, ':') - url;
382 }
383
384+void transport_check_allowed(const char *type)
385+{
386+ struct string_list allowed = STRING_LIST_INIT_DUP;
387+ const char *v = getenv("GIT_ALLOW_PROTOCOL");
388+
389+ if (!v)
390+ return;
391+
392+ string_list_split(&allowed, v, ':', -1);
393+ if (!unsorted_string_list_has_string(&allowed, type))
394+ die("transport '%s' not allowed", type);
395+ string_list_clear(&allowed, 0);
396+}
397+
398 struct transport *transport_get(struct remote *remote, const char *url)
399 {
400 const char *helper;
401@@ -938,12 +952,14 @@ struct transport *transport_get(struct r
402 if (helper) {
403 transport_helper_init(ret, helper);
404 } else if (starts_with(url, "rsync:")) {
405+ transport_check_allowed("rsync");
406 ret->get_refs_list = get_refs_via_rsync;
407 ret->fetch = fetch_objs_via_rsync;
408 ret->push = rsync_transport_push;
409 ret->smart_options = NULL;
410 } else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
411 struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
412+ transport_check_allowed("file");
413 ret->data = data;
414 ret->get_refs_list = get_refs_from_bundle;
415 ret->fetch = fetch_refs_from_bundle;
416@@ -955,7 +971,10 @@ struct transport *transport_get(struct r
417 || starts_with(url, "ssh://")
418 || starts_with(url, "git+ssh://")
419 || starts_with(url, "ssh+git://")) {
420- /* These are builtin smart transports. */
421+ /*
422+ * These are builtin smart transports; "allowed" transports
423+ * will be checked individually in git_connect.
424+ */
425 struct git_transport_data *data = xcalloc(1, sizeof(*data));
426 ret->data = data;
427 ret->set_option = NULL;
428Index: git-2.3.0/transport.h
429===================================================================
430--- git-2.3.0.orig/transport.h
431+++ git-2.3.0/transport.h
432@@ -132,6 +132,13 @@ struct transport {
433 /* Returns a transport suitable for the url */
434 struct transport *transport_get(struct remote *, const char *);
435
436+/*
437+ * Check whether a transport is allowed by the environment,
438+ * and die otherwise. type should generally be the URL scheme,
439+ * as described in Documentation/git.txt
440+ */
441+void transport_check_allowed(const char *type);
442+
443 /* Transport options which apply to git:// and scp-style URLs */
444
445 /* The program to use on the remote side to send a pack */
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch
new file mode 100644
index 0000000..8912b6a
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch
@@ -0,0 +1,113 @@
1From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001
2From: Jeff King <peff@peff.net>
3Date: Wed, 16 Sep 2015 13:13:12 -0400
4Subject: [PATCH] submodule: allow only certain protocols for submodule fetches
5
6Some protocols (like git-remote-ext) can execute arbitrary
7code found in the URL. The URLs that submodules use may come
8from arbitrary sources (e.g., .gitmodules files in a remote
9repository). Let's restrict submodules to fetching from a
10known-good subset of protocols.
11
12Note that we apply this restriction to all submodule
13commands, whether the URL comes from .gitmodules or not.
14This is more restrictive than we need to be; for example, in
15the tests we run:
16
17 git submodule add ext::...
18
19which should be trusted, as the URL comes directly from the
20command line provided by the user. But doing it this way is
21simpler, and makes it much less likely that we would miss a
22case. And since such protocols should be an exception
23(especially because nobody who clones from them will be able
24to update the submodules!), it's not likely to inconvenience
25anyone in practice.
26
27Reported-by: Blake Burkhart <bburky@bburky.com>
28Signed-off-by: Jeff King <peff@peff.net>
29Signed-off-by: Junio C Hamano <gitster@pobox.com>
30
31Upstream-Status: Backport
32https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
33CVE: CVE-2015-7545 patch #1
34Signed-off-by: Armin Kuster <akuster@mvista.com>
35
36---
37 git-submodule.sh | 9 +++++++++
38 t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
39 2 files changed, 52 insertions(+)
40 create mode 100755 t/t5815-submodule-protos.sh
41
42diff --git a/git-submodule.sh b/git-submodule.sh
43index 36797c3..78c2740 100755
44--- a/git-submodule.sh
45+++ b/git-submodule.sh
46@@ -22,6 +22,15 @@ require_work_tree
47 wt_prefix=$(git rev-parse --show-prefix)
48 cd_to_toplevel
49
50+# Restrict ourselves to a vanilla subset of protocols; the URLs
51+# we get are under control of a remote repository, and we do not
52+# want them kicking off arbitrary git-remote-* programs.
53+#
54+# If the user has already specified a set of allowed protocols,
55+# we assume they know what they're doing and use that instead.
56+: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
57+export GIT_ALLOW_PROTOCOL
58+
59 command=
60 branch=
61 force=
62diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh
63new file mode 100755
64index 0000000..06f55a1
65--- /dev/null
66+++ b/t/t5815-submodule-protos.sh
67@@ -0,0 +1,43 @@
68+#!/bin/sh
69+
70+test_description='test protocol whitelisting with submodules'
71+. ./test-lib.sh
72+. "$TEST_DIRECTORY"/lib-proto-disable.sh
73+
74+setup_ext_wrapper
75+setup_ssh_wrapper
76+
77+test_expect_success 'setup repository with submodules' '
78+ mkdir remote &&
79+ git init remote/repo.git &&
80+ (cd remote/repo.git && test_commit one) &&
81+ # submodule-add should probably trust what we feed it on the cmdline,
82+ # but its implementation is overly conservative.
83+ GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module &&
84+ GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module &&
85+ git commit -m "add submodules"
86+'
87+
88+test_expect_success 'clone with recurse-submodules fails' '
89+ test_must_fail git clone --recurse-submodules . dst
90+'
91+
92+test_expect_success 'setup individual updates' '
93+ rm -rf dst &&
94+ git clone . dst &&
95+ git -C dst submodule init
96+'
97+
98+test_expect_success 'update of ssh allowed' '
99+ git -C dst submodule update ssh-module
100+'
101+
102+test_expect_success 'update of ext not allowed' '
103+ test_must_fail git -C dst submodule update ext-module
104+'
105+
106+test_expect_success 'user can override whitelist' '
107+ GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module
108+'
109+
110+test_done
111--
1122.3.5
113
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
new file mode 100644
index 0000000..623da07
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
@@ -0,0 +1,110 @@
1From 5088d3b38775f8ac12d7f77636775b16059b67ef Mon Sep 17 00:00:00 2001
2From: Jeff King <peff@peff.net>
3Date: Tue, 22 Sep 2015 18:03:49 -0400
4Subject: [PATCH] transport: refactor protocol whitelist code
5
6The current callers only want to die when their transport is
7prohibited. But future callers want to query the mechanism
8without dying.
9
10Let's break out a few query functions, and also save the
11results in a static list so we don't have to re-parse for
12each query.
13
14Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com>
15Signed-off-by: Jeff King <peff@peff.net>
16Signed-off-by: Junio C Hamano <gitster@pobox.com>
17
18Upstream-Status: Backport
19https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
20CVE: CVE-2015-7545 patch #1
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 transport.c | 38 ++++++++++++++++++++++++++++++--------
25 transport.h | 15 +++++++++++++--
26 2 files changed, 43 insertions(+), 10 deletions(-)
27
28Index: git-2.3.0/transport.c
29===================================================================
30--- git-2.3.0.orig/transport.c
31+++ git-2.3.0/transport.c
32@@ -907,18 +907,40 @@ static int external_specification_len(co
33 return strchr(url, ':') - url;
34 }
35
36-void transport_check_allowed(const char *type)
37+static const struct string_list *protocol_whitelist(void)
38 {
39- struct string_list allowed = STRING_LIST_INIT_DUP;
40- const char *v = getenv("GIT_ALLOW_PROTOCOL");
41+ static int enabled = -1;
42+ static struct string_list allowed = STRING_LIST_INIT_DUP;
43+
44+ if (enabled < 0) {
45+ const char *v = getenv("GIT_ALLOW_PROTOCOL");
46+ if (v) {
47+ string_list_split(&allowed, v, ':', -1);
48+ string_list_sort(&allowed);
49+ enabled = 1;
50+ } else {
51+ enabled = 0;
52+ }
53+ }
54+
55+ return enabled ? &allowed : NULL;
56+}
57
58- if (!v)
59- return;
60+int is_transport_allowed(const char *type)
61+{
62+ const struct string_list *allowed = protocol_whitelist();
63+ return !allowed || string_list_has_string(allowed, type);
64+}
65
66- string_list_split(&allowed, v, ':', -1);
67- if (!unsorted_string_list_has_string(&allowed, type))
68+void transport_check_allowed(const char *type)
69+{
70+ if (!is_transport_allowed(type))
71 die("transport '%s' not allowed", type);
72- string_list_clear(&allowed, 0);
73+}
74+
75+int transport_restrict_protocols(void)
76+{
77+ return !!protocol_whitelist();
78 }
79
80 struct transport *transport_get(struct remote *remote, const char *url)
81Index: git-2.3.0/transport.h
82===================================================================
83--- git-2.3.0.orig/transport.h
84+++ git-2.3.0/transport.h
85@@ -133,12 +133,23 @@ struct transport {
86 struct transport *transport_get(struct remote *, const char *);
87
88 /*
89+ * Check whether a transport is allowed by the environment. Type should
90+ * generally be the URL scheme, as described in Documentation/git.txt
91+ */
92+int is_transport_allowed(const char *type);
93+
94+/*
95 * Check whether a transport is allowed by the environment,
96- * and die otherwise. type should generally be the URL scheme,
97- * as described in Documentation/git.txt
98+ * and die otherwise.
99 */
100 void transport_check_allowed(const char *type);
101
102+/*
103+ * Returns true if the user has attempted to turn on protocol
104+ * restrictions at all.
105+ */
106+int transport_restrict_protocols(void);
107+
108 /* Transport options which apply to git:// and scp-style URLs */
109
110 /* The program to use on the remote side to send a pack */
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
new file mode 100644
index 0000000..fafd3c2
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
@@ -0,0 +1,146 @@
1From f4113cac0c88b4f36ee6f3abf3218034440a68e3 Mon Sep 17 00:00:00 2001
2From: Blake Burkhart <bburky@bburky.com>
3Date: Tue, 22 Sep 2015 18:06:04 -0400
4Subject: [PATCH] http: limit redirection to protocol-whitelist
5
6Previously, libcurl would follow redirection to any protocol
7it was compiled for support with. This is desirable to allow
8redirection from HTTP to HTTPS. However, it would even
9successfully allow redirection from HTTP to SFTP, a protocol
10that git does not otherwise support at all. Furthermore
11git's new protocol-whitelisting could be bypassed by
12following a redirect within the remote helper, as it was
13only enforced at transport selection time.
14
15This patch limits redirects within libcurl to HTTP, HTTPS,
16FTP and FTPS. If there is a protocol-whitelist present, this
17list is limited to those also allowed by the whitelist. As
18redirection happens from within libcurl, it is impossible
19for an HTTP redirect to a protocol implemented within
20another remote helper.
21
22When the curl version git was compiled with is too old to
23support restrictions on protocol redirection, we warn the
24user if GIT_ALLOW_PROTOCOL restrictions were requested. This
25is a little inaccurate, as even without that variable in the
26environment, we would still restrict SFTP, etc, and we do
27not warn in that case. But anything else means we would
28literally warn every time git accesses an http remote.
29
30This commit includes a test, but it is not as robust as we
31would hope. It redirects an http request to ftp, and checks
32that curl complained about the protocol, which means that we
33are relying on curl's specific error message to know what
34happened. Ideally we would redirect to a working ftp server
35and confirm that we can clone without protocol restrictions,
36and not with them. But we do not have a portable way of
37providing an ftp server, nor any other protocol that curl
38supports (https is the closest, but we would have to deal
39with certificates).
40
41[jk: added test and version warning]
42
43Signed-off-by: Jeff King <peff@peff.net>
44Signed-off-by: Junio C Hamano <gitster@pobox.com>
45
46Upstream-Status: Backport
47https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
48CVE: CVE-2015-7545 patch #1
49Signed-off-by: Armin Kuster <akuster@mvista.com>
50
51---
52 Documentation/git.txt | 5 -----
53 http.c | 17 +++++++++++++++++
54 t/lib-httpd/apache.conf | 1 +
55 t/t5812-proto-disable-http.sh | 9 +++++++++
56 4 files changed, 27 insertions(+), 5 deletions(-)
57
58Index: git-2.3.0/Documentation/git.txt
59===================================================================
60--- git-2.3.0.orig/Documentation/git.txt
61+++ git-2.3.0/Documentation/git.txt
62@@ -1049,11 +1049,6 @@ GIT_ICASE_PATHSPECS::
63
64 - any external helpers are named by their protocol (e.g., use
65 `hg` to allow the `git-remote-hg` helper)
66-+
67-Note that this controls only git's internal protocol selection.
68-If libcurl is used (e.g., by the `http` transport), it may
69-redirect to other protocols. There is not currently any way to
70-restrict this.
71
72
73 Discussion[[Discussion]]
74Index: git-2.3.0/http.c
75===================================================================
76--- git-2.3.0.orig/http.c
77+++ git-2.3.0/http.c
78@@ -8,6 +8,7 @@
79 #include "credential.h"
80 #include "version.h"
81 #include "pkt-line.h"
82+#include "transport.h"
83
84 int active_requests;
85 int http_is_verbose;
86@@ -300,6 +301,7 @@ static void set_curl_keepalive(CURL *c)
87 static CURL *get_curl_handle(void)
88 {
89 CURL *result = curl_easy_init();
90+ long allowed_protocols = 0;
91
92 if (!result)
93 die("curl_easy_init failed");
94@@ -352,6 +354,21 @@ static CURL *get_curl_handle(void)
95 #elif LIBCURL_VERSION_NUM >= 0x071101
96 curl_easy_setopt(result, CURLOPT_POST301, 1);
97 #endif
98+#if LIBCURL_VERSION_NUM >= 0x071304
99+ if (is_transport_allowed("http"))
100+ allowed_protocols |= CURLPROTO_HTTP;
101+ if (is_transport_allowed("https"))
102+ allowed_protocols |= CURLPROTO_HTTPS;
103+ if (is_transport_allowed("ftp"))
104+ allowed_protocols |= CURLPROTO_FTP;
105+ if (is_transport_allowed("ftps"))
106+ allowed_protocols |= CURLPROTO_FTPS;
107+ curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
108+#else
109+ if (transport_restrict_protocols())
110+ warning("protocol restrictions not applied to curl redirects because\n"
111+ "your curl version is too old (>= 7.19.4)");
112+#endif
113
114 if (getenv("GIT_CURL_VERBOSE"))
115 curl_easy_setopt(result, CURLOPT_VERBOSE, 1);
116Index: git-2.3.0/t/lib-httpd/apache.conf
117===================================================================
118--- git-2.3.0.orig/t/lib-httpd/apache.conf
119+++ git-2.3.0/t/lib-httpd/apache.conf
120@@ -118,6 +118,7 @@ RewriteRule ^/smart-redir-perm/(.*)$ /sm
121 RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302]
122 RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301]
123 RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
124+RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302]
125
126 <IfDefine SSL>
127 LoadModule ssl_module modules/mod_ssl.so
128Index: git-2.3.0/t/t5812-proto-disable-http.sh
129===================================================================
130--- git-2.3.0.orig/t/t5812-proto-disable-http.sh
131+++ git-2.3.0/t/t5812-proto-disable-http.sh
132@@ -16,5 +16,14 @@ test_expect_success 'create git-accessib
133
134 test_proto "smart http" http "$HTTPD_URL/smart/repo.git"
135
136+test_expect_success 'curl redirects respect whitelist' '
137+ test_must_fail env GIT_ALLOW_PROTOCOL=http:https \
138+ git clone "$HTTPD_URL/ftp-redir/repo.git" 2>stderr &&
139+ {
140+ test_i18ngrep "ftp.*disabled" stderr ||
141+ test_i18ngrep "your curl version is too old"
142+ }
143+'
144+
145 stop_httpd
146 test_done
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch
new file mode 100644
index 0000000..32dfbae
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch
@@ -0,0 +1,67 @@
1From b258116462399b318c86165c61a5c7123043cfd4 Mon Sep 17 00:00:00 2001
2From: Blake Burkhart <bburky@bburky.com>
3Date: Tue, 22 Sep 2015 18:06:20 -0400
4Subject: [PATCH] http: limit redirection depth
5
6By default, libcurl will follow circular http redirects
7forever. Let's put a cap on this so that somebody who can
8trigger an automated fetch of an arbitrary repository (e.g.,
9for CI) cannot convince git to loop infinitely.
10
11The value chosen is 20, which is the same default that
12Firefox uses.
13
14Signed-off-by: Jeff King <peff@peff.net>
15Signed-off-by: Junio C Hamano <gitster@pobox.com>
16
17Upstream-Status: Backport
18https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/
19CVE: CVE-2015-7545 patch #1
20Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22---
23 http.c | 1 +
24 t/lib-httpd/apache.conf | 3 +++
25 t/t5812-proto-disable-http.sh | 4 ++++
26 3 files changed, 8 insertions(+)
27
28Index: git-2.3.0/http.c
29===================================================================
30--- git-2.3.0.orig/http.c
31+++ git-2.3.0/http.c
32@@ -349,6 +349,7 @@ static CURL *get_curl_handle(void)
33 }
34
35 curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1);
36+ curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20);
37 #if LIBCURL_VERSION_NUM >= 0x071301
38 curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL);
39 #elif LIBCURL_VERSION_NUM >= 0x071101
40Index: git-2.3.0/t/lib-httpd/apache.conf
41===================================================================
42--- git-2.3.0.orig/t/lib-httpd/apache.conf
43+++ git-2.3.0/t/lib-httpd/apache.conf
44@@ -120,6 +120,9 @@ RewriteRule ^/smart-redir-auth/(.*)$ /au
45 RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
46 RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302]
47
48+RewriteRule ^/loop-redir/x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-(.*) /$1 [R=302]
49+RewriteRule ^/loop-redir/(.*)$ /loop-redir/x-$1 [R=302]
50+
51 <IfDefine SSL>
52 LoadModule ssl_module modules/mod_ssl.so
53
54Index: git-2.3.0/t/t5812-proto-disable-http.sh
55===================================================================
56--- git-2.3.0.orig/t/t5812-proto-disable-http.sh
57+++ git-2.3.0/t/t5812-proto-disable-http.sh
58@@ -25,5 +25,9 @@ test_expect_success 'curl redirects resp
59 }
60 '
61
62+test_expect_success 'curl limits redirects' '
63+ test_must_fail git clone "$HTTPD_URL/loop-redir/smart/repo.git"
64+'
65+
66 stop_httpd
67 test_done
diff --git a/meta/recipes-devtools/git/git_2.3.0.bb b/meta/recipes-devtools/git/git_2.3.0.bb
index 1611f64..2575ed3 100644
--- a/meta/recipes-devtools/git/git_2.3.0.bb
+++ b/meta/recipes-devtools/git/git_2.3.0.bb
@@ -1,5 +1,12 @@
1require git.inc 1require git.inc
2 2
3SRC_URI += "\
4 file://CVE-2015-7545_1.patch \
5 file://CVE-2015-7545_2.patch \
6 file://CVE-2015-7545_3.patch \
7 file://CVE-2015-7545_4.patch \
8 file://CVE-2015-7545_5.patch \
9 "
3SRC_URI[tarball.md5sum] = "edf994cf34cd3354dadcdfa6b4292335" 10SRC_URI[tarball.md5sum] = "edf994cf34cd3354dadcdfa6b4292335"
4SRC_URI[tarball.sha256sum] = "ba2fe814e709a5d0f034ebe82083fce7feed0899b3a8c8b3adf1c5a85d1ce9ac" 11SRC_URI[tarball.sha256sum] = "ba2fe814e709a5d0f034ebe82083fce7feed0899b3a8c8b3adf1c5a85d1ce9ac"
5SRC_URI[manpages.md5sum] = "620797eb73b281d0706979ae8038bbd7" 12SRC_URI[manpages.md5sum] = "620797eb73b281d0706979ae8038bbd7"