diff options
| author | Li Zhou <li.zhou@windriver.com> | 2020-04-27 17:17:49 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-05-07 17:32:09 +0100 |
| commit | 3412c7b7131fb3b94075d5c654df1908701f64a2 (patch) | |
| tree | 17c4ee96873fe37302420e14d1716ac0cc32d6df /meta/recipes-devtools/git/git/CVE-2020-11008-6.patch | |
| parent | cfcd63e044c66b22fcddcbd55df0c2316fe06051 (diff) | |
| download | poky-3412c7b7131fb3b94075d5c654df1908701f64a2.tar.gz | |
git: Security Advisory - git - CVE-2020-11008
Backport the 1st -- 9th patches listed by
<https://github.com/git/git/compare/v2.17.4...v2.17.5>
to solve CVE-2020-11008.
Also backport the 2nd -- 4th patches listed by
<https://github.com/git/git/compare/v2.17.3...v2.17.4>
for CVE-2020-5260 (not necessary, and only the 1st patch is necessary
for this CVE), because some of the above 9 patches are based on them.
(From OE-Core rev: 63c7f76912f097cdfb95296778c42887b7336925)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-6.patch')
| -rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-11008-6.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch new file mode 100644 index 0000000000..6b36893030 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | From 883508bcebe87fbe7fb7392272e930c27c30fdc2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jeff King <peff@peff.net> | ||
| 3 | Date: Sat, 18 Apr 2020 20:53:09 -0700 | ||
| 4 | Subject: [PATCH 09/12] credential: die() when parsing invalid urls | ||
| 5 | |||
| 6 | When we try to initialize credential loading by URL and find that the | ||
| 7 | URL is invalid, we set all fields to NULL in order to avoid acting on | ||
| 8 | malicious input. Later when we request credentials, we diagonse the | ||
| 9 | erroneous input: | ||
| 10 | |||
| 11 | fatal: refusing to work with credential missing host field | ||
| 12 | |||
| 13 | This is problematic in two ways: | ||
| 14 | |||
| 15 | - The message doesn't tell the user *why* we are missing the host | ||
| 16 | field, so they can't tell from this message alone how to recover. | ||
| 17 | There can be intervening messages after the original warning of | ||
| 18 | bad input, so the user may not have the context to put two and two | ||
| 19 | together. | ||
| 20 | |||
| 21 | - The error only occurs when we actually need to get a credential. If | ||
| 22 | the URL permits anonymous access, the only encouragement the user gets | ||
| 23 | to correct their bogus URL is a quiet warning. | ||
| 24 | |||
| 25 | This is inconsistent with the check we perform in fsck, where any use | ||
| 26 | of such a URL as a submodule is an error. | ||
| 27 | |||
| 28 | When we see such a bogus URL, let's not try to be nice and continue | ||
| 29 | without helpers. Instead, die() immediately. This is simpler and | ||
| 30 | obviously safe. And there's very little chance of disrupting a normal | ||
| 31 | workflow. | ||
| 32 | |||
| 33 | It's _possible_ that somebody has a legitimate URL with a raw newline in | ||
| 34 | it. It already wouldn't work with credential helpers, so this patch | ||
| 35 | steps that up from an inconvenience to "we will refuse to work with it | ||
| 36 | at all". If such a case does exist, we should figure out a way to work | ||
| 37 | with it (especially if the newline is only in the path component, which | ||
| 38 | we normally don't even pass to helpers). But until we see a real report, | ||
| 39 | we're better off being defensive. | ||
| 40 | |||
| 41 | Reported-by: Carlo Arenas <carenas@gmail.com> | ||
| 42 | Signed-off-by: Jeff King <peff@peff.net> | ||
| 43 | Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> | ||
| 44 | |||
| 45 | Upstream-Status: Backport | ||
| 46 | CVE: CVE-2020-11008 (6) | ||
| 47 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
| 48 | --- | ||
| 49 | credential.c | 6 ++---- | ||
| 50 | t/t0300-credentials.sh | 3 +-- | ||
| 51 | 2 files changed, 3 insertions(+), 6 deletions(-) | ||
| 52 | |||
| 53 | diff --git a/credential.c b/credential.c | ||
| 54 | index e08ed84..22649d5 100644 | ||
| 55 | --- a/credential.c | ||
| 56 | +++ b/credential.c | ||
| 57 | @@ -408,8 +408,6 @@ int credential_from_url_gently(struct credential *c, const char *url, | ||
| 58 | |||
| 59 | void credential_from_url(struct credential *c, const char *url) | ||
| 60 | { | ||
| 61 | - if (credential_from_url_gently(c, url, 0) < 0) { | ||
| 62 | - warning(_("skipping credential lookup for url: %s"), url); | ||
| 63 | - credential_clear(c); | ||
| 64 | - } | ||
| 65 | + if (credential_from_url_gently(c, url, 0) < 0) | ||
| 66 | + die(_("credential url cannot be parsed: %s"), url); | ||
| 67 | } | ||
| 68 | diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh | ||
| 69 | index 646f845..efed3ea 100755 | ||
| 70 | --- a/t/t0300-credentials.sh | ||
| 71 | +++ b/t/t0300-credentials.sh | ||
| 72 | @@ -406,8 +406,7 @@ test_expect_success 'url parser rejects embedded newlines' ' | ||
| 73 | EOF | ||
| 74 | cat >expect <<-\EOF && | ||
| 75 | warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/ | ||
| 76 | - warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/ | ||
| 77 | - fatal: refusing to work with credential missing host field | ||
| 78 | + fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/ | ||
| 79 | EOF | ||
| 80 | test_i18ncmp expect stderr | ||
| 81 | ' | ||
| 82 | -- | ||
| 83 | 1.9.1 | ||
| 84 | |||