git: fix CVE-2021-40330

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. Upstream-Status: Backport [https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473] CVE: CVE-2021-40330 (From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b) Signed-off-by: Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Minjae Kim <flowergom@gmail.com> 2021-11-25 19:49:12 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-12-02 16:53:07 +0000
commit: e006c87e225a8bf1c0338b54fbbdbfbcd3634ff6 (patch)
tree: ff1ea7e38d0c9da6f5cfab9390c7568084b60d39 /meta/recipes-devtools/git/git.inc
parent: 1a5fb730ac928c732f4651b40ede2da6326d8962 (diff)
download: poky-e006c87e225a8bf1c0338b54fbbdbfbcd3634ff6.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 2b75bed055..a89dd42e8b 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -10,7 +10,9 @@ PROVIDES_append_class-native = " git-replacement-native"
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
           file://CVE-2021-21300.patch \
-           file://fixsort.patch"
+           file://fixsort.patch \
+           file://CVE-2021-40330.patch \
+           "
 S = "${WORKDIR}/git-${PV}"
author	Minjae Kim <flowergom@gmail.com>	2021-11-25 19:49:12 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-12-02 16:53:07 +0000
commit	e006c87e225a8bf1c0338b54fbbdbfbcd3634ff6 (patch)
tree	ff1ea7e38d0c9da6f5cfab9390c7568084b60d39 /meta/recipes-devtools/git/git.inc
parent	1a5fb730ac928c732f4651b40ede2da6326d8962 (diff)
download	poky-e006c87e225a8bf1c0338b54fbbdbfbcd3634ff6.tar.gz

diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 2b75bed055..a89dd42e8b 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc
@@ -10,7 +10,9 @@ PROVIDES_append_class-native = " git-replacement-native"
10	SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \	10	SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
11	${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \	11	${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
12	file://CVE-2021-21300.patch \	12	file://CVE-2021-21300.patch \
13	file://fixsort.patch"	13	file://fixsort.patch \
		14	file://CVE-2021-40330.patch \
		15	"
14		16
15	S = "${WORKDIR}/git-${PV}"	17	S = "${WORKDIR}/git-${PV}"
16		18