git: fix CVE-2023-25652

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. References: https://nvd.nist.gov/vuln/detail/CVE-2023-25652 Upstream patches: https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b (From OE-Core rev: 335ad8a6d795cd94b872370e44a033ce3fbf4890) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-05-07 08:09:11 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-05-12 04:04:52 -1000
commit: 6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf (patch)
tree: 8bdd6a8887685a65bf71ce37b6f1a574fde7b456 /meta
parent: 04316b4f470e28cdb47f49e84e5f9848ccb5368c (diff)
download: poky-6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf.tar.gz
2 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 0000000000..825701eaff
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+   The `git apply --reject` is expected to write out `.rej` files in case
+   one or more hunks fail to apply cleanly. Historically, the command
+   overwrites any existing `.rej` files. The idea being that
+   apply/reject/edit cycles are relatively common, and the generated `.rej`
+   files are not considered precious.
+    But the command does not overwrite existing `.rej` symbolic links, and
+    instead follows them. This is unsafe because the same patch could
+    potentially create such a symbolic link and point at arbitrary paths
+    outside the current worktree, and `git apply` would write the contents
+    of the `.rej` file into that location.
+    Therefore, let's make sure that any existing `.rej` file or symbolic
+    link is removed before writing it.
+    Reported-by: RyotaK <ryotak.mail@gmail.com>
+    Helped-by: Taylor Blau <me@ttaylorr.com>
+    Helped-by: Junio C Hamano <gitster@pobox.com>
+    Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
+    Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+CVE: CVE-2023-25652
+Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ apply.c                  | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+diff --git a/apply.c b/apply.c
+index fc6f484..47f2686 100644
+--- a/apply.c
+++ b/apply.c
+@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+        FILE *rej;
+        char namebuf[PATH_MAX];
+        struct fragment *frag;
+-       int cnt = 0;
+       int fd, cnt = 0;
+        struct strbuf sb = STRBUF_INIT;
+        for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+        memcpy(namebuf, patch->new_name, cnt);
+        memcpy(namebuf + cnt, ".rej", 5);
+-       rej = fopen(namebuf, "w");
+       fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+       if (fd < 0) {
+               if (errno != EEXIST)
+                       return error_errno(_("cannot open %s"), namebuf);
+               if (unlink(namebuf))
+                       return error_errno(_("cannot unlink '%s'"), namebuf);
+               fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+               if (fd < 0)
+                       return error_errno(_("cannot open %s"), namebuf);
+       }
+       rej = fdopen(fd, "w");
+        if (!rej)
+                return error_errno(_("cannot open %s"), namebuf);
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
+++ b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
+        test_path_is_file .git/delete-me
+ '
+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
+       test_when_finished "git reset --hard && git clean -dfx" &&
+
+       test_commit file &&
+       echo modified >file.t &&
+       git diff -- file.t >patch &&
+       echo modified-again >file.t &&
+
+       ln -s foo file.t.rej &&
+       test_must_fail git apply patch --reject 2>err &&
+       test_i18ngrep "Rejected hunk" err &&
+       test_path_is_missing foo &&
+       test_path_is_file file.t.rej
+'
+
+ test_done
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index 199ac950fa..99d3d70683 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -11,6 +11,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
           file://fixsort.patch \
           file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
           file://CVE-2023-29007.patch \
+           file://CVE-2023-25652.patch \
           "
 S = "${WORKDIR}/git-${PV}"
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-05-07 08:09:11 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-05-12 04:04:52 -1000
commit	6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf (patch)
tree	8bdd6a8887685a65bf71ce37b6f1a574fde7b456 /meta
parent	04316b4f470e28cdb47f49e84e5f9848ccb5368c (diff)
download	poky-6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf.tar.gz

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/meta/recipes-devtools/git/git/CVE-2023-25652.patch new file mode 100644 index 0000000000..825701eaff --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
		1	From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
		2	From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
		3	Date: Thu Mar 9 16:02:54 2023 +0100
		4	Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
		5	exists
		6
		7	The `git apply --reject` is expected to write out `.rej` files in case
		8	one or more hunks fail to apply cleanly. Historically, the command
		9	overwrites any existing `.rej` files. The idea being that
		10	apply/reject/edit cycles are relatively common, and the generated `.rej`
		11	files are not considered precious.
		12
		13	But the command does not overwrite existing `.rej` symbolic links, and
		14	instead follows them. This is unsafe because the same patch could
		15	potentially create such a symbolic link and point at arbitrary paths
		16	outside the current worktree, and `git apply` would write the contents
		17	of the `.rej` file into that location.
		18
		19	Therefore, let's make sure that any existing `.rej` file or symbolic
		20	link is removed before writing it.
		21
		22	Reported-by: RyotaK <ryotak.mail@gmail.com>
		23	Helped-by: Taylor Blau <me@ttaylorr.com>
		24	Helped-by: Junio C Hamano <gitster@pobox.com>
		25	Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
		26	Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
		27
		28	CVE: CVE-2023-25652
		29	Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
		30
		31	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		32	---
		33	apply.c \| 14 ++++++++++++--
		34	t/t4115-apply-symlink.sh \| 15 +++++++++++++++
		35	2 files changed, 27 insertions(+), 2 deletions(-)
		36
		37	diff --git a/apply.c b/apply.c
		38	index fc6f484..47f2686 100644
		39	--- a/apply.c
		40	+++ b/apply.c
		41	@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state state, struct patch patch)
		42	FILE *rej;
		43	char namebuf[PATH_MAX];
		44	struct fragment *frag;
		45	- int cnt = 0;
		46	+ int fd, cnt = 0;
		47	struct strbuf sb = STRBUF_INIT;
		48
		49	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
		50	@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state state, struct patch patch)
		51	memcpy(namebuf, patch->new_name, cnt);
		52	memcpy(namebuf + cnt, ".rej", 5);
		53
		54	- rej = fopen(namebuf, "w");
		55	+ fd = open(namebuf, O_CREAT \| O_EXCL \| O_WRONLY, 0666);
		56	+ if (fd < 0) {
		57	+ if (errno != EEXIST)
		58	+ return error_errno(_("cannot open %s"), namebuf);
		59	+ if (unlink(namebuf))
		60	+ return error_errno(_("cannot unlink '%s'"), namebuf);
		61	+ fd = open(namebuf, O_CREAT \| O_EXCL \| O_WRONLY, 0666);
		62	+ if (fd < 0)
		63	+ return error_errno(_("cannot open %s"), namebuf);
		64	+ }
		65	+ rej = fdopen(fd, "w");
		66	if (!rej)
		67	return error_errno(_("cannot open %s"), namebuf);
		68
		69	diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
		70	index 65ac7df..e95e6d4 100755
		71	--- a/t/t4115-apply-symlink.sh
		72	+++ b/t/t4115-apply-symlink.sh
		73	@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
		74	test_path_is_file .git/delete-me
		75	'
		76
		77	+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
		78	+ test_when_finished "git reset --hard && git clean -dfx" &&
		79	+
		80	+ test_commit file &&
		81	+ echo modified >file.t &&
		82	+ git diff -- file.t >patch &&
		83	+ echo modified-again >file.t &&
		84	+
		85	+ ln -s foo file.t.rej &&
		86	+ test_must_fail git apply patch --reject 2>err &&
		87	+ test_i18ngrep "Rejected hunk" err &&
		88	+ test_path_is_missing foo &&
		89	+ test_path_is_file file.t.rej
		90	+'
		91	+
		92	test_done
		93	--
		94	2.40.0


diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb index 199ac950fa..99d3d70683 100644 --- a/meta/recipes-devtools/git/git_2.35.7.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -11,6 +11,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
11	file://fixsort.patch \	11	file://fixsort.patch \
12	file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \	12	file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
13	file://CVE-2023-29007.patch \	13	file://CVE-2023-29007.patch \
		14	file://CVE-2023-25652.patch \
14	"	15	"
15		16
16	S = "${WORKDIR}/git-${PV}"	17	S = "${WORKDIR}/git-${PV}"