git: Security fix CVE-2015-7545

CVE-2015-7545 git: arbitrary code execution via crafted URLs (From OE-Core rev: 1e0780427bad448c5b3644134b581ecf1d53af84) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-01-31 14:27:05 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-04 23:20:17 +0000
commit: e8c96131d952f7812a8f8a53845c0ba709192d86 (patch)
tree: a16d0d73c9dd91216c3aac834f1d54aa62d27e9c /meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch
parent: 108ea6d05ff27d3afaf24a3f459fc4f7d9eb4f7f (diff)
download: poky-e8c96131d952f7812a8f8a53845c0ba709192d86.tar.gz
1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch b/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch
new file mode 100644
index 0000000000..8000e26d70
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch
@@ -0,0 +1,112 @@
+From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 16 Sep 2015 13:13:12 -0400
+Subject: [PATCH] submodule: allow only certain protocols for submodule fetches
+Some protocols (like git-remote-ext) can execute arbitrary
+code found in the URL. The URLs that submodules use may come
+from arbitrary sources (e.g., .gitmodules files in a remote
+repository). Let's restrict submodules to fetching from a
+known-good subset of protocols.
+Note that we apply this restriction to all submodule
+commands, whether the URL comes from .gitmodules or not.
+This is more restrictive than we need to be; for example, in
+the tests we run:
+  git submodule add ext::...
+which should be trusted, as the URL comes directly from the
+command line provided by the user. But doing it this way is
+simpler, and makes it much less likely that we would miss a
+case. And since such protocols should be an exception
+(especially because nobody who clones from them will be able
+to update the submodules!), it's not likely to inconvenience
+anyone in practice.
+Reported-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport
+http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.5.0-1ubuntu0.1.debian.tar.xz
+CVE: CVE-2015-7545 #2
+Singed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ git-submodule.sh            |  9 +++++++++
+ t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+ create mode 100755 t/t5815-submodule-protos.sh
+diff --git a/git-submodule.sh b/git-submodule.sh
+index 36797c3..78c2740 100755
+--- a/git-submodule.sh
+++ b/git-submodule.sh
+@@ -22,6 +22,15 @@ require_work_tree
+ wt_prefix=$(git rev-parse --show-prefix)
+ cd_to_toplevel
+ 
+# Restrict ourselves to a vanilla subset of protocols; the URLs
+# we get are under control of a remote repository, and we do not
+# want them kicking off arbitrary git-remote-* programs.
+#
+# If the user has already specified a set of allowed protocols,
+# we assume they know what they're doing and use that instead.
+: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
+export GIT_ALLOW_PROTOCOL
+
+ command=
+ branch=
+ force=
+diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh
+new file mode 100755
+index 0000000..06f55a1
+--- /dev/null
+++ b/t/t5815-submodule-protos.sh
+@@ -0,0 +1,43 @@
+#!/bin/sh
+
+test_description='test protocol whitelisting with submodules'
+. ./test-lib.sh
+. "$TEST_DIRECTORY"/lib-proto-disable.sh
+
+setup_ext_wrapper
+setup_ssh_wrapper
+
+test_expect_success 'setup repository with submodules' '
+       mkdir remote &&
+       git init remote/repo.git &&
+       (cd remote/repo.git && test_commit one) &&
+       # submodule-add should probably trust what we feed it on the cmdline,
+       # but its implementation is overly conservative.
+       GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module &&
+       GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module &&
+       git commit -m "add submodules"
+'
+
+test_expect_success 'clone with recurse-submodules fails' '
+       test_must_fail git clone --recurse-submodules . dst
+'
+
+test_expect_success 'setup individual updates' '
+       rm -rf dst &&
+       git clone . dst &&
+       git -C dst submodule init
+'
+
+test_expect_success 'update of ssh allowed' '
+       git -C dst submodule update ssh-module
+'
+
+test_expect_success 'update of ext not allowed' '
+       test_must_fail git -C dst submodule update ext-module
+'
+
+test_expect_success 'user can override whitelist' '
+       GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module
+'
+
+test_done
author	Armin Kuster <akuster@mvista.com>	2016-01-31 14:27:05 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-04 23:20:17 +0000
commit	e8c96131d952f7812a8f8a53845c0ba709192d86 (patch)
tree	a16d0d73c9dd91216c3aac834f1d54aa62d27e9c /meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch
parent	108ea6d05ff27d3afaf24a3f459fc4f7d9eb4f7f (diff)
download	poky-e8c96131d952f7812a8f8a53845c0ba709192d86.tar.gz

diff --git a/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch b/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch new file mode 100644 index 0000000000..8000e26d70 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch
@@ -0,0 +1,112 @@
	1	From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001
	2	From: Jeff King <peff@peff.net>
	3	Date: Wed, 16 Sep 2015 13:13:12 -0400
	4	Subject: [PATCH] submodule: allow only certain protocols for submodule fetches
	5
	6	Some protocols (like git-remote-ext) can execute arbitrary
	7	code found in the URL. The URLs that submodules use may come
	8	from arbitrary sources (e.g., .gitmodules files in a remote
	9	repository). Let's restrict submodules to fetching from a
	10	known-good subset of protocols.
	11
	12	Note that we apply this restriction to all submodule
	13	commands, whether the URL comes from .gitmodules or not.
	14	This is more restrictive than we need to be; for example, in
	15	the tests we run:
	16
	17	git submodule add ext::...
	18
	19	which should be trusted, as the URL comes directly from the
	20	command line provided by the user. But doing it this way is
	21	simpler, and makes it much less likely that we would miss a
	22	case. And since such protocols should be an exception
	23	(especially because nobody who clones from them will be able
	24	to update the submodules!), it's not likely to inconvenience
	25	anyone in practice.
	26
	27	Reported-by: Blake Burkhart <bburky@bburky.com>
	28	Signed-off-by: Jeff King <peff@peff.net>
	29	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	30
	31	Upstream-Status: Backport
	32
	33	http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.5.0-1ubuntu0.1.debian.tar.xz
	34
	35	CVE: CVE-2015-7545 #2
	36	Singed-off-by: Armin Kuster <akuster@mvista.com>
	37
	38	---
	39	git-submodule.sh \| 9 +++++++++
	40	t/t5815-submodule-protos.sh \| 43 +++++++++++++++++++++++++++++++++++++++++++
	41	2 files changed, 52 insertions(+)
	42	create mode 100755 t/t5815-submodule-protos.sh
	43
	44	diff --git a/git-submodule.sh b/git-submodule.sh
	45	index 36797c3..78c2740 100755
	46	--- a/git-submodule.sh
	47	+++ b/git-submodule.sh
	48	@@ -22,6 +22,15 @@ require_work_tree
	49	wt_prefix=$(git rev-parse --show-prefix)
	50	cd_to_toplevel
	51
	52	+# Restrict ourselves to a vanilla subset of protocols; the URLs
	53	+# we get are under control of a remote repository, and we do not
	54	+# want them kicking off arbitrary git-remote-* programs.
	55	+#
	56	+# If the user has already specified a set of allowed protocols,
	57	+# we assume they know what they're doing and use that instead.
	58	+: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
	59	+export GIT_ALLOW_PROTOCOL
	60	+
	61	command=
	62	branch=
	63	force=
	64	diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh
	65	new file mode 100755
	66	index 0000000..06f55a1
	67	--- /dev/null
	68	+++ b/t/t5815-submodule-protos.sh
	69	@@ -0,0 +1,43 @@
	70	+#!/bin/sh
	71	+
	72	+test_description='test protocol whitelisting with submodules'
	73	+. ./test-lib.sh
	74	+. "$TEST_DIRECTORY"/lib-proto-disable.sh
	75	+
	76	+setup_ext_wrapper
	77	+setup_ssh_wrapper
	78	+
	79	+test_expect_success 'setup repository with submodules' '
	80	+ mkdir remote &&
	81	+ git init remote/repo.git &&
	82	+ (cd remote/repo.git && test_commit one) &&
	83	+ # submodule-add should probably trust what we feed it on the cmdline,
	84	+ # but its implementation is overly conservative.
	85	+ GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module &&
	86	+ GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module &&
	87	+ git commit -m "add submodules"
	88	+'
	89	+
	90	+test_expect_success 'clone with recurse-submodules fails' '
	91	+ test_must_fail git clone --recurse-submodules . dst
	92	+'
	93	+
	94	+test_expect_success 'setup individual updates' '
	95	+ rm -rf dst &&
	96	+ git clone . dst &&
	97	+ git -C dst submodule init
	98	+'
	99	+
	100	+test_expect_success 'update of ssh allowed' '
	101	+ git -C dst submodule update ssh-module
	102	+'
	103	+
	104	+test_expect_success 'update of ext not allowed' '
	105	+ test_must_fail git -C dst submodule update ext-module
	106	+'
	107	+
	108	+test_expect_success 'user can override whitelist' '
	109	+ GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module
	110	+'
	111	+
	112	+test_done