diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-05-15 17:21:06 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-25 05:49:25 -1000 |
commit | 967c2d41452ccb42fe832837bc96c2719328ec9f (patch) | |
tree | b1138f31249a0047e1f7bef99821aa508c7b25c7 /meta/recipes-devtools/git | |
parent | a540df3791eab49bbe3a2eee2647606f0b115039 (diff) | |
download | poky-967c2d41452ccb42fe832837bc96c2719328ec9f.tar.gz |
git: fix CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a
(From OE-Core rev: db4c152441aebe4c04a7bb7aceb88d8941a6576b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/git')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2023-29007.patch | 159 | ||||
-rw-r--r-- | meta/recipes-devtools/git/git.inc | 1 |
2 files changed, 160 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2023-29007.patch b/meta/recipes-devtools/git/files/CVE-2023-29007.patch new file mode 100644 index 0000000000..e166c01412 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2023-29007.patch | |||
@@ -0,0 +1,159 @@ | |||
1 | From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001 | ||
2 | From: Taylor Blau <me@ttaylorr.com> | ||
3 | Date: Fri, 14 Apr 2023 11:46:59 -0400 | ||
4 | Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection' | ||
5 | |||
6 | Avoids issues with renaming or deleting sections with long lines, where | ||
7 | configuration values may be interpreted as sections, leading to | ||
8 | configuration injection. Addresses CVE-2023-29007. | ||
9 | |||
10 | * tb/config-copy-or-rename-in-file-injection: | ||
11 | config.c: disallow overly-long lines in `copy_or_rename_section_in_file()` | ||
12 | config.c: avoid integer truncation in `copy_or_rename_section_in_file()` | ||
13 | config: avoid fixed-sized buffer when renaming/deleting a section | ||
14 | t1300: demonstrate failure when renaming sections with long lines | ||
15 | |||
16 | Signed-off-by: Taylor Blau <me@ttaylorr.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4] | ||
19 | CVE: CVE-2023-29007 | ||
20 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
21 | --- | ||
22 | config.c | 36 +++++++++++++++++++++++++----------- | ||
23 | t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++ | ||
24 | 2 files changed, 55 insertions(+), 11 deletions(-) | ||
25 | |||
26 | diff --git a/config.c b/config.c | ||
27 | index e7052b3..676b687 100644 | ||
28 | --- a/config.c | ||
29 | +++ b/config.c | ||
30 | @@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value, | ||
31 | multi_replace); | ||
32 | } | ||
33 | |||
34 | -static int section_name_match (const char *buf, const char *name) | ||
35 | +static size_t section_name_match (const char *buf, const char *name) | ||
36 | { | ||
37 | - int i = 0, j = 0, dot = 0; | ||
38 | + size_t i = 0, j = 0; | ||
39 | + int dot = 0; | ||
40 | if (buf[i] != '[') | ||
41 | return 0; | ||
42 | for (i = 1; buf[i] && buf[i] != ']'; i++) { | ||
43 | @@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name) | ||
44 | return 1; | ||
45 | } | ||
46 | |||
47 | +#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) | ||
48 | + | ||
49 | /* if new_name == NULL, the section is removed instead */ | ||
50 | static int git_config_copy_or_rename_section_in_file(const char *config_filename, | ||
51 | const char *old_name, | ||
52 | @@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename | ||
53 | char *filename_buf = NULL; | ||
54 | struct lock_file lock = LOCK_INIT; | ||
55 | int out_fd; | ||
56 | - char buf[1024]; | ||
57 | + struct strbuf buf = STRBUF_INIT; | ||
58 | FILE *config_file = NULL; | ||
59 | struct stat st; | ||
60 | struct strbuf copystr = STRBUF_INIT; | ||
61 | struct config_store_data store; | ||
62 | + uint32_t line_nr = 0; | ||
63 | |||
64 | memset(&store, 0, sizeof(store)); | ||
65 | |||
66 | @@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename | ||
67 | goto out; | ||
68 | } | ||
69 | |||
70 | - while (fgets(buf, sizeof(buf), config_file)) { | ||
71 | - int i; | ||
72 | - int length; | ||
73 | + while (!strbuf_getwholeline(&buf, config_file, '\n')) { | ||
74 | + size_t i, length; | ||
75 | int is_section = 0; | ||
76 | - char *output = buf; | ||
77 | - for (i = 0; buf[i] && isspace(buf[i]); i++) | ||
78 | + char *output = buf.buf; | ||
79 | + | ||
80 | + line_nr++; | ||
81 | + | ||
82 | + if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { | ||
83 | + ret = error(_("refusing to work with overly long line " | ||
84 | + "in '%s' on line %"PRIuMAX), | ||
85 | + config_filename, (uintmax_t)line_nr); | ||
86 | + goto out; | ||
87 | + } | ||
88 | + | ||
89 | + for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) | ||
90 | ; /* do nothing */ | ||
91 | - if (buf[i] == '[') { | ||
92 | + if (buf.buf[i] == '[') { | ||
93 | /* it's a section */ | ||
94 | - int offset; | ||
95 | + size_t offset; | ||
96 | is_section = 1; | ||
97 | |||
98 | /* | ||
99 | @@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename | ||
100 | strbuf_reset(©str); | ||
101 | } | ||
102 | |||
103 | - offset = section_name_match(&buf[i], old_name); | ||
104 | + offset = section_name_match(&buf.buf[i], old_name); | ||
105 | if (offset > 0) { | ||
106 | ret++; | ||
107 | if (new_name == NULL) { | ||
108 | @@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename | ||
109 | out_no_rollback: | ||
110 | free(filename_buf); | ||
111 | config_store_data_clear(&store); | ||
112 | + strbuf_release(&buf); | ||
113 | return ret; | ||
114 | } | ||
115 | |||
116 | diff --git a/t/t1300-config.sh b/t/t1300-config.sh | ||
117 | index 983a0a1..9b67f6b 100755 | ||
118 | --- a/t/t1300-config.sh | ||
119 | +++ b/t/t1300-config.sh | ||
120 | @@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' ' | ||
121 | test_must_fail git config --rename-section branch.zwei "bogus name" | ||
122 | ' | ||
123 | |||
124 | +test_expect_success 'renaming a section with a long line' ' | ||
125 | + { | ||
126 | + printf "[b]\\n" && | ||
127 | + printf " c = d %1024s [a] e = f\\n" " " && | ||
128 | + printf "[a] g = h\\n" | ||
129 | + } >y && | ||
130 | + git config -f y --rename-section a xyz && | ||
131 | + test_must_fail git config -f y b.e | ||
132 | +' | ||
133 | + | ||
134 | +test_expect_success 'renaming an embedded section with a long line' ' | ||
135 | + { | ||
136 | + printf "[b]\\n" && | ||
137 | + printf " c = d %1024s [a] [foo] e = f\\n" " " && | ||
138 | + printf "[a] g = h\\n" | ||
139 | + } >y && | ||
140 | + git config -f y --rename-section a xyz && | ||
141 | + test_must_fail git config -f y foo.e | ||
142 | +' | ||
143 | + | ||
144 | +test_expect_success 'renaming a section with an overly-long line' ' | ||
145 | + { | ||
146 | + printf "[b]\\n" && | ||
147 | + printf " c = d %525000s e" " " && | ||
148 | + printf "[a] g = h\\n" | ||
149 | + } >y && | ||
150 | + test_must_fail git config -f y --rename-section a xyz 2>err && | ||
151 | + test_i18ngrep "refusing to work with overly long line in .y. on line 2" err | ||
152 | +' | ||
153 | + | ||
154 | cat >> .git/config << EOF | ||
155 | [branch "zwei"] a = 1 [branch "vier"] | ||
156 | EOF | ||
157 | -- | ||
158 | 2.25.1 | ||
159 | |||
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 36318eed20..8b864053eb 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc | |||
@@ -28,6 +28,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ | |||
28 | file://CVE-2023-22490-2.patch \ | 28 | file://CVE-2023-22490-2.patch \ |
29 | file://CVE-2023-22490-3.patch \ | 29 | file://CVE-2023-22490-3.patch \ |
30 | file://CVE-2023-23946.patch \ | 30 | file://CVE-2023-23946.patch \ |
31 | file://CVE-2023-29007.patch \ | ||
31 | " | 32 | " |
32 | S = "${WORKDIR}/git-${PV}" | 33 | S = "${WORKDIR}/git-${PV}" |
33 | 34 | ||