git: Security fixes CVE-2015-7545

CVE-2015-7545 git: arbitrary code execution via crafted URLs (From OE-Core rev: 0c4bdd61acbc1fa1b9bfb167d8eaf90c8bccc25c) Signed-off-by: Armin Kuster <akuster@mvista.com> Already in Jethro, not needed in master due to shipping a version of git which is already fixes (> 2.6.1) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-23 17:38:25 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-03 11:11:40 +0000
commit: f98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3 (patch)
tree: eaf1e0b535b1f650b15c25daef6fb3274ccedb58 /meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
parent: 3aa8ba185b381088f4c51d7ba48fb109f2fc679b (diff)
download: poky-f98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3.tar.gz
1 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
new file mode 100644
index 0000000000..fafd3c2033
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
@@ -0,0 +1,146 @@
+From f4113cac0c88b4f36ee6f3abf3218034440a68e3 Mon Sep 17 00:00:00 2001
+From: Blake Burkhart <bburky@bburky.com>
+Date: Tue, 22 Sep 2015 18:06:04 -0400
+Subject: [PATCH] http: limit redirection to protocol-whitelist
+Previously, libcurl would follow redirection to any protocol
+it was compiled for support with. This is desirable to allow
+redirection from HTTP to HTTPS. However, it would even
+successfully allow redirection from HTTP to SFTP, a protocol
+that git does not otherwise support at all. Furthermore
+git's new protocol-whitelisting could be bypassed by
+following a redirect within the remote helper, as it was
+only enforced at transport selection time.
+This patch limits redirects within libcurl to HTTP, HTTPS,
+FTP and FTPS. If there is a protocol-whitelist present, this
+list is limited to those also allowed by the whitelist. As
+redirection happens from within libcurl, it is impossible
+for an HTTP redirect to a protocol implemented within
+another remote helper.
+When the curl version git was compiled with is too old to
+support restrictions on protocol redirection, we warn the
+user if GIT_ALLOW_PROTOCOL restrictions were requested. This
+is a little inaccurate, as even without that variable in the
+environment, we would still restrict SFTP, etc, and we do
+not warn in that case. But anything else means we would
+literally warn every time git accesses an http remote.
+This commit includes a test, but it is not as robust as we
+would hope. It redirects an http request to ftp, and checks
+that curl complained about the protocol, which means that we
+are relying on curl's specific error message to know what
+happened. Ideally we would redirect to a working ftp server
+and confirm that we can clone without protocol restrictions,
+and not with them. But we do not have a portable way of
+providing an ftp server, nor any other protocol that curl
+supports (https is the closest, but we would have to deal
+with certificates).
+[jk: added test and version warning]
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport
+https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
+CVE: CVE-2015-7545 patch #1 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ Documentation/git.txt         |  5 -----
+ http.c                        | 17 +++++++++++++++++
+ t/lib-httpd/apache.conf       |  1 +
+ t/t5812-proto-disable-http.sh |  9 +++++++++
+ 4 files changed, 27 insertions(+), 5 deletions(-)
+Index: git-2.3.0/Documentation/git.txt
+===================================================================
+--- git-2.3.0.orig/Documentation/git.txt
+++ git-2.3.0/Documentation/git.txt
+@@ -1049,11 +1049,6 @@ GIT_ICASE_PATHSPECS::
+ 
+          - any external helpers are named by their protocol (e.g., use
+            `hg` to allow the `git-remote-hg` helper)
+-+
+-Note that this controls only git's internal protocol selection.
+-If libcurl is used (e.g., by the `http` transport), it may
+-redirect to other protocols. There is not currently any way to
+-restrict this.
+ 
+ 
+ Discussion[[Discussion]]
+Index: git-2.3.0/http.c
+===================================================================
+--- git-2.3.0.orig/http.c
+++ git-2.3.0/http.c
+@@ -8,6 +8,7 @@
+ #include "credential.h"
+ #include "version.h"
+ #include "pkt-line.h"
+#include "transport.h"
+ 
+ int active_requests;
+ int http_is_verbose;
+@@ -300,6 +301,7 @@ static void set_curl_keepalive(CURL *c)
+ static CURL *get_curl_handle(void)
+ {
+        CURL *result = curl_easy_init();
+       long allowed_protocols = 0;
+ 
+        if (!result)
+                die("curl_easy_init failed");
+@@ -352,6 +354,21 @@ static CURL *get_curl_handle(void)
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+        curl_easy_setopt(result, CURLOPT_POST301, 1);
+ #endif
+#if LIBCURL_VERSION_NUM >= 0x071304
+       if (is_transport_allowed("http"))
+               allowed_protocols |= CURLPROTO_HTTP;
+       if (is_transport_allowed("https"))
+               allowed_protocols |= CURLPROTO_HTTPS;
+       if (is_transport_allowed("ftp"))
+               allowed_protocols |= CURLPROTO_FTP;
+       if (is_transport_allowed("ftps"))
+               allowed_protocols |= CURLPROTO_FTPS;
+       curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
+#else
+       if (transport_restrict_protocols())
+               warning("protocol restrictions not applied to curl redirects because\n"
+                       "your curl version is too old (>= 7.19.4)");
+#endif
+ 
+        if (getenv("GIT_CURL_VERBOSE"))
+                curl_easy_setopt(result, CURLOPT_VERBOSE, 1);
+Index: git-2.3.0/t/lib-httpd/apache.conf
+===================================================================
+--- git-2.3.0.orig/t/lib-httpd/apache.conf
+++ git-2.3.0/t/lib-httpd/apache.conf
+@@ -118,6 +118,7 @@ RewriteRule ^/smart-redir-perm/(.*)$ /sm
+ RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302]
+ RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301]
+ RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
+RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302]
+ 
+ <IfDefine SSL>
+ LoadModule ssl_module modules/mod_ssl.so
+Index: git-2.3.0/t/t5812-proto-disable-http.sh
+===================================================================
+--- git-2.3.0.orig/t/t5812-proto-disable-http.sh
+++ git-2.3.0/t/t5812-proto-disable-http.sh
+@@ -16,5 +16,14 @@ test_expect_success 'create git-accessib
+ 
+ test_proto "smart http" http "$HTTPD_URL/smart/repo.git"
+ 
+test_expect_success 'curl redirects respect whitelist' '
+       test_must_fail env GIT_ALLOW_PROTOCOL=http:https \
+               git clone "$HTTPD_URL/ftp-redir/repo.git" 2>stderr &&
+       {
+               test_i18ngrep "ftp.*disabled" stderr ||
+               test_i18ngrep "your curl version is too old"
+       }
+'
+
+ stop_httpd
+ test_done
author	Armin Kuster <akuster@mvista.com>	2016-02-23 17:38:25 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-03 11:11:40 +0000
commit	f98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3 (patch)
tree	eaf1e0b535b1f650b15c25daef6fb3274ccedb58 /meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
parent	3aa8ba185b381088f4c51d7ba48fb109f2fc679b (diff)
download	poky-f98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3.tar.gz

diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch new file mode 100644 index 0000000000..fafd3c2033 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
@@ -0,0 +1,146 @@
	1	From f4113cac0c88b4f36ee6f3abf3218034440a68e3 Mon Sep 17 00:00:00 2001
	2	From: Blake Burkhart <bburky@bburky.com>
	3	Date: Tue, 22 Sep 2015 18:06:04 -0400
	4	Subject: [PATCH] http: limit redirection to protocol-whitelist
	5
	6	Previously, libcurl would follow redirection to any protocol
	7	it was compiled for support with. This is desirable to allow
	8	redirection from HTTP to HTTPS. However, it would even
	9	successfully allow redirection from HTTP to SFTP, a protocol
	10	that git does not otherwise support at all. Furthermore
	11	git's new protocol-whitelisting could be bypassed by
	12	following a redirect within the remote helper, as it was
	13	only enforced at transport selection time.
	14
	15	This patch limits redirects within libcurl to HTTP, HTTPS,
	16	FTP and FTPS. If there is a protocol-whitelist present, this
	17	list is limited to those also allowed by the whitelist. As
	18	redirection happens from within libcurl, it is impossible
	19	for an HTTP redirect to a protocol implemented within
	20	another remote helper.
	21
	22	When the curl version git was compiled with is too old to
	23	support restrictions on protocol redirection, we warn the
	24	user if GIT_ALLOW_PROTOCOL restrictions were requested. This
	25	is a little inaccurate, as even without that variable in the
	26	environment, we would still restrict SFTP, etc, and we do
	27	not warn in that case. But anything else means we would
	28	literally warn every time git accesses an http remote.
	29
	30	This commit includes a test, but it is not as robust as we
	31	would hope. It redirects an http request to ftp, and checks
	32	that curl complained about the protocol, which means that we
	33	are relying on curl's specific error message to know what
	34	happened. Ideally we would redirect to a working ftp server
	35	and confirm that we can clone without protocol restrictions,
	36	and not with them. But we do not have a portable way of
	37	providing an ftp server, nor any other protocol that curl
	38	supports (https is the closest, but we would have to deal
	39	with certificates).
	40
	41	[jk: added test and version warning]
	42
	43	Signed-off-by: Jeff King <peff@peff.net>
	44	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	45
	46	Upstream-Status: Backport
	47	https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
	48	CVE: CVE-2015-7545 patch #1
	49	Signed-off-by: Armin Kuster <akuster@mvista.com>
	50
	51	---
	52	Documentation/git.txt \| 5 -----
	53	http.c \| 17 +++++++++++++++++
	54	t/lib-httpd/apache.conf \| 1 +
	55	t/t5812-proto-disable-http.sh \| 9 +++++++++
	56	4 files changed, 27 insertions(+), 5 deletions(-)
	57
	58	Index: git-2.3.0/Documentation/git.txt
	59	===================================================================
	60	--- git-2.3.0.orig/Documentation/git.txt
	61	+++ git-2.3.0/Documentation/git.txt
	62	@@ -1049,11 +1049,6 @@ GIT_ICASE_PATHSPECS::
	63
	64	- any external helpers are named by their protocol (e.g., use
	65	`hg` to allow the `git-remote-hg` helper)
	66	-+
	67	-Note that this controls only git's internal protocol selection.
	68	-If libcurl is used (e.g., by the `http` transport), it may
	69	-redirect to other protocols. There is not currently any way to
	70	-restrict this.
	71
	72
	73	Discussion[[Discussion]]
	74	Index: git-2.3.0/http.c
	75	===================================================================
	76	--- git-2.3.0.orig/http.c
	77	+++ git-2.3.0/http.c
	78	@@ -8,6 +8,7 @@
	79	#include "credential.h"
	80	#include "version.h"
	81	#include "pkt-line.h"
	82	+#include "transport.h"
	83
	84	int active_requests;
	85	int http_is_verbose;
	86	@@ -300,6 +301,7 @@ static void set_curl_keepalive(CURL *c)
	87	static CURL *get_curl_handle(void)
	88	{
	89	CURL *result = curl_easy_init();
	90	+ long allowed_protocols = 0;
	91
	92	if (!result)
	93	die("curl_easy_init failed");
	94	@@ -352,6 +354,21 @@ static CURL *get_curl_handle(void)
	95	#elif LIBCURL_VERSION_NUM >= 0x071101
	96	curl_easy_setopt(result, CURLOPT_POST301, 1);
	97	#endif
	98	+#if LIBCURL_VERSION_NUM >= 0x071304
	99	+ if (is_transport_allowed("http"))
	100	+ allowed_protocols \|= CURLPROTO_HTTP;
	101	+ if (is_transport_allowed("https"))
	102	+ allowed_protocols \|= CURLPROTO_HTTPS;
	103	+ if (is_transport_allowed("ftp"))
	104	+ allowed_protocols \|= CURLPROTO_FTP;
	105	+ if (is_transport_allowed("ftps"))
	106	+ allowed_protocols \|= CURLPROTO_FTPS;
	107	+ curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
	108	+#else
	109	+ if (transport_restrict_protocols())
	110	+ warning("protocol restrictions not applied to curl redirects because\n"
	111	+ "your curl version is too old (>= 7.19.4)");
	112	+#endif
	113
	114	if (getenv("GIT_CURL_VERBOSE"))
	115	curl_easy_setopt(result, CURLOPT_VERBOSE, 1);
	116	Index: git-2.3.0/t/lib-httpd/apache.conf
	117	===================================================================
	118	--- git-2.3.0.orig/t/lib-httpd/apache.conf
	119	+++ git-2.3.0/t/lib-httpd/apache.conf
	120	@@ -118,6 +118,7 @@ RewriteRule ^/smart-redir-perm/(.*)$ /sm
	121	RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302]
	122	RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301]
	123	RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
	124	+RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302]
	125
	126	<IfDefine SSL>
	127	LoadModule ssl_module modules/mod_ssl.so
	128	Index: git-2.3.0/t/t5812-proto-disable-http.sh
	129	===================================================================
	130	--- git-2.3.0.orig/t/t5812-proto-disable-http.sh
	131	+++ git-2.3.0/t/t5812-proto-disable-http.sh
	132	@@ -16,5 +16,14 @@ test_expect_success 'create git-accessib
	133
	134	test_proto "smart http" http "$HTTPD_URL/smart/repo.git"
	135
	136	+test_expect_success 'curl redirects respect whitelist' '
	137	+ test_must_fail env GIT_ALLOW_PROTOCOL=http:https \
	138	+ git clone "$HTTPD_URL/ftp-redir/repo.git" 2>stderr &&
	139	+ {
	140	+ test_i18ngrep "ftp.*disabled" stderr \|\|
	141	+ test_i18ngrep "your curl version is too old"
	142	+ }
	143	+'
	144	+
	145	stop_httpd
	146	test_done