git: fix CVE-2023-29007

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29007 Upstream patches: https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4 https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8 https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a (From OE-Core rev: 1b55343b6346437b80b8a8180ae1bc9f480d92ef) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-05-07 08:08:46 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-05-12 04:04:52 -1000
commit: 04316b4f470e28cdb47f49e84e5f9848ccb5368c (patch)
tree: 2738b61d73286a2ad39bc8af6232c27c7d4c14a0 /meta
parent: a8216f8f7c1f360005de6d11f5fa867328d10163 (diff)
download: poky-04316b4f470e28cdb47f49e84e5f9848ccb5368c.tar.gz
2 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 0000000000..472f4022b2
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,162 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+Upstream-Status: Backport
+CVE: CVE-2023-29007
+Reference to upstream patch:
+https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ config.c          | 36 +++++++++++++++++++++++++-----------
+ t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+diff --git a/config.c b/config.c
+index 2bffa8d..6a01938 100644
+--- a/config.c
+++ b/config.c
+@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const char *value,
+                                        flags);
+ }
+-static int section_name_match (const char *buf, const char *name)
+static size_t section_name_match (const char *buf, const char *name)
+ {
+-       int i = 0, j = 0, dot = 0;
+       size_t i = 0, j = 0;
+       int dot = 0;
+        if (buf[i] != '[')
+                return 0;
+        for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name)
+        return 1;
+ }
+#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char *config_filename,
+                                      const char *old_name,
+@@ -3256,11 +3259,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+        char *filename_buf = NULL;
+        struct lock_file lock = LOCK_INIT;
+        int out_fd;
+-       char buf[1024];
+       struct strbuf buf = STRBUF_INIT;
+        FILE *config_file = NULL;
+        struct stat st;
+        struct strbuf copystr = STRBUF_INIT;
+        struct config_store_data store;
+       uint32_t line_nr = 0;
+        memset(&store, 0, sizeof(store));
+@@ -3297,16 +3301,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+                goto out;
+        }
+-       while (fgets(buf, sizeof(buf), config_file)) {
+-               unsigned i;
+-               int length;
+       while (!strbuf_getwholeline(&buf, config_file, '\n')) {
+               size_t i, length;
+                int is_section = 0;
+-               char *output = buf;
+-               for (i = 0; buf[i] && isspace(buf[i]); i++)
+               char *output = buf.buf;
+
+               line_nr++;
+
+               if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
+                       ret = error(_("refusing to work with overly long line "
+                                     "in '%s' on line %"PRIuMAX),
+                                   config_filename, (uintmax_t)line_nr);
+                       goto out;
+               }
+
+               for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
+                        ; /* do nothing */
+-               if (buf[i] == '[') {
+               if (buf.buf[i] == '[') {
+                        /* it's a section */
+-                       int offset;
+                       size_t offset;
+                        is_section = 1;
+                        /*
+@@ -3323,7 +3336,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+                                strbuf_reset(&copystr);
+                        }
+-                       offset = section_name_match(&buf[i], old_name);
+                       offset = section_name_match(&buf.buf[i], old_name);
+                        if (offset > 0) {
+                                ret++;
+                                if (new_name == NULL) {
+@@ -3398,6 +3411,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ out_no_rollback:
+        free(filename_buf);
+        config_store_data_clear(&store);
+       strbuf_release(&buf);
+        return ret;
+ }
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index 78359f1..b07feb1 100755
+--- a/t/t1300-config.sh
+++ b/t/t1300-config.sh
+@@ -617,6 +617,36 @@ test_expect_success 'renaming to bogus section is rejected' '
+        test_must_fail git config --rename-section branch.zwei "bogus name"
+ '
+test_expect_success 'renaming a section with a long line' '
+       {
+               printf "[b]\\n" &&
+               printf "  c = d %1024s [a] e = f\\n" " " &&
+               printf "[a] g = h\\n"
+       } >y &&
+       git config -f y --rename-section a xyz &&
+       test_must_fail git config -f y b.e
+'
+
+test_expect_success 'renaming an embedded section with a long line' '
+       {
+               printf "[b]\\n" &&
+               printf "  c = d %1024s [a] [foo] e = f\\n" " " &&
+               printf "[a] g = h\\n"
+       } >y &&
+       git config -f y --rename-section a xyz &&
+       test_must_fail git config -f y foo.e
+'
+
+test_expect_success 'renaming a section with an overly-long line' '
+       {
+               printf "[b]\\n" &&
+               printf "  c = d %525000s e" " " &&
+               printf "[a] g = h\\n"
+       } >y &&
+       test_must_fail git config -f y --rename-section a xyz 2>err &&
+       test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
+'
+
+ cat >> .git/config << EOF
+   [branch "zwei"] a = 1 [branch "vier"]
+ EOF
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index faf0b67051..199ac950fa 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -10,6 +10,7 @@ PROVIDES:append:class-native = " git-replacement-native"
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
           file://fixsort.patch \
           file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
+           file://CVE-2023-29007.patch \
           "
 S = "${WORKDIR}/git-${PV}"
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-05-07 08:08:46 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-05-12 04:04:52 -1000
commit	04316b4f470e28cdb47f49e84e5f9848ccb5368c (patch)
tree	2738b61d73286a2ad39bc8af6232c27c7d4c14a0 /meta
parent	a8216f8f7c1f360005de6d11f5fa867328d10163 (diff)
download	poky-04316b4f470e28cdb47f49e84e5f9848ccb5368c.tar.gz

diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch b/meta/recipes-devtools/git/git/CVE-2023-29007.patch new file mode 100644 index 0000000000..472f4022b2 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,162 @@
		1	From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
		2	From: Taylor Blau <me@ttaylorr.com>
		3	Date: Fri, 14 Apr 2023 11:46:59 -0400
		4	Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
		5
		6	Avoids issues with renaming or deleting sections with long lines, where
		7	configuration values may be interpreted as sections, leading to
		8	configuration injection. Addresses CVE-2023-29007.
		9
		10	* tb/config-copy-or-rename-in-file-injection:
		11	config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
		12	config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
		13	config: avoid fixed-sized buffer when renaming/deleting a section
		14	t1300: demonstrate failure when renaming sections with long lines
		15
		16	Signed-off-by: Taylor Blau <me@ttaylorr.com>
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2023-29007
		20
		21	Reference to upstream patch:
		22	https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
		23
		24	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		25	---
		26	config.c \| 36 +++++++++++++++++++++++++-----------
		27	t/t1300-config.sh \| 30 ++++++++++++++++++++++++++++++
		28	2 files changed, 55 insertions(+), 11 deletions(-)
		29
		30	diff --git a/config.c b/config.c
		31	index 2bffa8d..6a01938 100644
		32	--- a/config.c
		33	+++ b/config.c
		34	@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char key, const char value,
		35	flags);
		36	}
		37
		38	-static int section_name_match (const char buf, const char name)
		39	+static size_t section_name_match (const char buf, const char name)
		40	{
		41	- int i = 0, j = 0, dot = 0;
		42	+ size_t i = 0, j = 0;
		43	+ int dot = 0;
		44	if (buf[i] != '[')
		45	return 0;
		46	for (i = 1; buf[i] && buf[i] != ']'; i++) {
		47	@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name)
		48	return 1;
		49	}
		50
		51	+#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
		52	+
		53	/* if new_name == NULL, the section is removed instead */
		54	static int git_config_copy_or_rename_section_in_file(const char *config_filename,
		55	const char *old_name,
		56	@@ -3256,11 +3259,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
		57	char *filename_buf = NULL;
		58	struct lock_file lock = LOCK_INIT;
		59	int out_fd;
		60	- char buf[1024];
		61	+ struct strbuf buf = STRBUF_INIT;
		62	FILE *config_file = NULL;
		63	struct stat st;
		64	struct strbuf copystr = STRBUF_INIT;
		65	struct config_store_data store;
		66	+ uint32_t line_nr = 0;
		67
		68	memset(&store, 0, sizeof(store));
		69
		70	@@ -3297,16 +3301,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
		71	goto out;
		72	}
		73
		74	- while (fgets(buf, sizeof(buf), config_file)) {
		75	- unsigned i;
		76	- int length;
		77	+ while (!strbuf_getwholeline(&buf, config_file, '\n')) {
		78	+ size_t i, length;
		79	int is_section = 0;
		80	- char *output = buf;
		81	- for (i = 0; buf[i] && isspace(buf[i]); i++)
		82	+ char *output = buf.buf;
		83	+
		84	+ line_nr++;
		85	+
		86	+ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
		87	+ ret = error(_("refusing to work with overly long line "
		88	+ "in '%s' on line %"PRIuMAX),
		89	+ config_filename, (uintmax_t)line_nr);
		90	+ goto out;
		91	+ }
		92	+
		93	+ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
		94	; /* do nothing */
		95	- if (buf[i] == '[') {
		96	+ if (buf.buf[i] == '[') {
		97	/* it's a section */
		98	- int offset;
		99	+ size_t offset;
		100	is_section = 1;
		101
		102	/*
		103	@@ -3323,7 +3336,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
		104	strbuf_reset(&copystr);
		105	}
		106
		107	- offset = section_name_match(&buf[i], old_name);
		108	+ offset = section_name_match(&buf.buf[i], old_name);
		109	if (offset > 0) {
		110	ret++;
		111	if (new_name == NULL) {
		112	@@ -3398,6 +3411,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
		113	out_no_rollback:
		114	free(filename_buf);
		115	config_store_data_clear(&store);
		116	+ strbuf_release(&buf);
		117	return ret;
		118	}
		119
		120	diff --git a/t/t1300-config.sh b/t/t1300-config.sh
		121	index 78359f1..b07feb1 100755
		122	--- a/t/t1300-config.sh
		123	+++ b/t/t1300-config.sh
		124	@@ -617,6 +617,36 @@ test_expect_success 'renaming to bogus section is rejected' '
		125	test_must_fail git config --rename-section branch.zwei "bogus name"
		126	'
		127
		128	+test_expect_success 'renaming a section with a long line' '
		129	+ {
		130	+ printf "[b]\\n" &&
		131	+ printf " c = d %1024s [a] e = f\\n" " " &&
		132	+ printf "[a] g = h\\n"
		133	+ } >y &&
		134	+ git config -f y --rename-section a xyz &&
		135	+ test_must_fail git config -f y b.e
		136	+'
		137	+
		138	+test_expect_success 'renaming an embedded section with a long line' '
		139	+ {
		140	+ printf "[b]\\n" &&
		141	+ printf " c = d %1024s [a] [foo] e = f\\n" " " &&
		142	+ printf "[a] g = h\\n"
		143	+ } >y &&
		144	+ git config -f y --rename-section a xyz &&
		145	+ test_must_fail git config -f y foo.e
		146	+'
		147	+
		148	+test_expect_success 'renaming a section with an overly-long line' '
		149	+ {
		150	+ printf "[b]\\n" &&
		151	+ printf " c = d %525000s e" " " &&
		152	+ printf "[a] g = h\\n"
		153	+ } >y &&
		154	+ test_must_fail git config -f y --rename-section a xyz 2>err &&
		155	+ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
		156	+'
		157	+
		158	cat >> .git/config << EOF
		159	[branch "zwei"] a = 1 [branch "vier"]
		160	EOF
		161	--
		162	2.40.0


diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb index faf0b67051..199ac950fa 100644 --- a/meta/recipes-devtools/git/git_2.35.7.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -10,6 +10,7 @@ PROVIDES:append:class-native = " git-replacement-native"
10	SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \	10	SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
11	file://fixsort.patch \	11	file://fixsort.patch \
12	file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \	12	file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
		13	file://CVE-2023-29007.patch \
13	"	14	"
14		15
15	S = "${WORKDIR}/git-${PV}"	16	S = "${WORKDIR}/git-${PV}"