diff options
6 files changed, 888 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch new file mode 100644 index 0000000000..6bea2268dc --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch | |||
@@ -0,0 +1,445 @@ | |||
1 | From a5adaced2e13c135d5d9cc65be9eb95aa3bacedf Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Wed, 16 Sep 2015 13:12:52 -0400 | ||
4 | Subject: [PATCH] transport: add a protocol-whitelist environment variable | ||
5 | |||
6 | If we are cloning an untrusted remote repository into a | ||
7 | sandbox, we may also want to fetch remote submodules in | ||
8 | order to get the complete view as intended by the other | ||
9 | side. However, that opens us up to attacks where a malicious | ||
10 | user gets us to clone something they would not otherwise | ||
11 | have access to (this is not necessarily a problem by itself, | ||
12 | but we may then act on the cloned contents in a way that | ||
13 | exposes them to the attacker). | ||
14 | |||
15 | Ideally such a setup would sandbox git entirely away from | ||
16 | high-value items, but this is not always practical or easy | ||
17 | to set up (e.g., OS network controls may block multiple | ||
18 | protocols, and we would want to enable some but not others). | ||
19 | |||
20 | We can help this case by providing a way to restrict | ||
21 | particular protocols. We use a whitelist in the environment. | ||
22 | This is more annoying to set up than a blacklist, but | ||
23 | defaults to safety if the set of protocols git supports | ||
24 | grows). If no whitelist is specified, we continue to default | ||
25 | to allowing all protocols (this is an "unsafe" default, but | ||
26 | since the minority of users will want this sandboxing | ||
27 | effect, it is the only sensible one). | ||
28 | |||
29 | A note on the tests: ideally these would all be in a single | ||
30 | test file, but the git-daemon and httpd test infrastructure | ||
31 | is an all-or-nothing proposition rather than a test-by-test | ||
32 | prerequisite. By putting them all together, we would be | ||
33 | unable to test the file-local code on machines without | ||
34 | apache. | ||
35 | |||
36 | Signed-off-by: Jeff King <peff@peff.net> | ||
37 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
38 | |||
39 | Upstream-Status: Backport | ||
40 | /hom://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/ | ||
41 | CVE: CVE-2015-7545 patch #1 | ||
42 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
43 | |||
44 | --- | ||
45 | Documentation/git.txt | 32 ++++++++++++++ | ||
46 | connect.c | 5 +++ | ||
47 | t/lib-proto-disable.sh | 96 ++++++++++++++++++++++++++++++++++++++++++ | ||
48 | t/t5810-proto-disable-local.sh | 14 ++++++ | ||
49 | t/t5811-proto-disable-git.sh | 20 +++++++++ | ||
50 | t/t5812-proto-disable-http.sh | 20 +++++++++ | ||
51 | t/t5813-proto-disable-ssh.sh | 20 +++++++++ | ||
52 | t/t5814-proto-disable-ext.sh | 18 ++++++++ | ||
53 | transport-helper.c | 2 + | ||
54 | transport.c | 21 ++++++++- | ||
55 | transport.h | 7 +++ | ||
56 | 11 files changed, 254 insertions(+), 1 deletion(-) | ||
57 | create mode 100644 t/lib-proto-disable.sh | ||
58 | create mode 100755 t/t5810-proto-disable-local.sh | ||
59 | create mode 100755 t/t5811-proto-disable-git.sh | ||
60 | create mode 100755 t/t5812-proto-disable-http.sh | ||
61 | create mode 100755 t/t5813-proto-disable-ssh.sh | ||
62 | create mode 100755 t/t5814-proto-disable-ext.sh | ||
63 | |||
64 | Index: git-2.3.0/Documentation/git.txt | ||
65 | =================================================================== | ||
66 | --- git-2.3.0.orig/Documentation/git.txt | ||
67 | +++ git-2.3.0/Documentation/git.txt | ||
68 | @@ -1023,6 +1023,38 @@ GIT_ICASE_PATHSPECS:: | ||
69 | variable when it is invoked as the top level command by the | ||
70 | end user, to be recorded in the body of the reflog. | ||
71 | |||
72 | +`GIT_ALLOW_PROTOCOL`:: | ||
73 | + If set, provide a colon-separated list of protocols which are | ||
74 | + allowed to be used with fetch/push/clone. This is useful to | ||
75 | + restrict recursive submodule initialization from an untrusted | ||
76 | + repository. Any protocol not mentioned will be disallowed (i.e., | ||
77 | + this is a whitelist, not a blacklist). If the variable is not | ||
78 | + set at all, all protocols are enabled. The protocol names | ||
79 | + currently used by git are: | ||
80 | + | ||
81 | + - `file`: any local file-based path (including `file://` URLs, | ||
82 | + or local paths) | ||
83 | + | ||
84 | + - `git`: the anonymous git protocol over a direct TCP | ||
85 | + connection (or proxy, if configured) | ||
86 | + | ||
87 | + - `ssh`: git over ssh (including `host:path` syntax, | ||
88 | + `git+ssh://`, etc). | ||
89 | + | ||
90 | + - `rsync`: git over rsync | ||
91 | + | ||
92 | + - `http`: git over http, both "smart http" and "dumb http". | ||
93 | + Note that this does _not_ include `https`; if you want both, | ||
94 | + you should specify both as `http:https`. | ||
95 | + | ||
96 | + - any external helpers are named by their protocol (e.g., use | ||
97 | + `hg` to allow the `git-remote-hg` helper) | ||
98 | ++ | ||
99 | +Note that this controls only git's internal protocol selection. | ||
100 | +If libcurl is used (e.g., by the `http` transport), it may | ||
101 | +redirect to other protocols. There is not currently any way to | ||
102 | +restrict this. | ||
103 | + | ||
104 | |||
105 | Discussion[[Discussion]] | ||
106 | ------------------------ | ||
107 | Index: git-2.3.0/connect.c | ||
108 | =================================================================== | ||
109 | --- git-2.3.0.orig/connect.c | ||
110 | +++ git-2.3.0/connect.c | ||
111 | @@ -9,6 +9,7 @@ | ||
112 | #include "url.h" | ||
113 | #include "string-list.h" | ||
114 | #include "sha1-array.h" | ||
115 | +#include "transport.h" | ||
116 | |||
117 | static char *server_capabilities; | ||
118 | static const char *parse_feature_value(const char *, const char *, int *); | ||
119 | @@ -674,6 +675,9 @@ struct child_process *git_connect(int fd | ||
120 | * cannot connect. | ||
121 | */ | ||
122 | char *target_host = xstrdup(hostandport); | ||
123 | + | ||
124 | + transport_check_allowed("git"); | ||
125 | + | ||
126 | if (git_use_proxy(hostandport)) | ||
127 | conn = git_proxy_connect(fd, hostandport); | ||
128 | else | ||
129 | @@ -704,6 +708,7 @@ struct child_process *git_connect(int fd | ||
130 | int putty; | ||
131 | char *ssh_host = hostandport; | ||
132 | const char *port = NULL; | ||
133 | + transport_check_allowed("ssh"); | ||
134 | get_host_and_port(&ssh_host, &port); | ||
135 | port = get_port_numeric(port); | ||
136 | |||
137 | @@ -731,6 +736,7 @@ struct child_process *git_connect(int fd | ||
138 | /* remove repo-local variables from the environment */ | ||
139 | conn->env = local_repo_env; | ||
140 | conn->use_shell = 1; | ||
141 | + transport_check_allowed("file"); | ||
142 | } | ||
143 | argv_array_push(&conn->args, cmd.buf); | ||
144 | |||
145 | Index: git-2.3.0/t/lib-proto-disable.sh | ||
146 | =================================================================== | ||
147 | --- /dev/null | ||
148 | +++ git-2.3.0/t/lib-proto-disable.sh | ||
149 | @@ -0,0 +1,96 @@ | ||
150 | +# Test routines for checking protocol disabling. | ||
151 | + | ||
152 | +# test cloning a particular protocol | ||
153 | +# $1 - description of the protocol | ||
154 | +# $2 - machine-readable name of the protocol | ||
155 | +# $3 - the URL to try cloning | ||
156 | +test_proto () { | ||
157 | + desc=$1 | ||
158 | + proto=$2 | ||
159 | + url=$3 | ||
160 | + | ||
161 | + test_expect_success "clone $1 (enabled)" ' | ||
162 | + rm -rf tmp.git && | ||
163 | + ( | ||
164 | + GIT_ALLOW_PROTOCOL=$proto && | ||
165 | + export GIT_ALLOW_PROTOCOL && | ||
166 | + git clone --bare "$url" tmp.git | ||
167 | + ) | ||
168 | + ' | ||
169 | + | ||
170 | + test_expect_success "fetch $1 (enabled)" ' | ||
171 | + ( | ||
172 | + cd tmp.git && | ||
173 | + GIT_ALLOW_PROTOCOL=$proto && | ||
174 | + export GIT_ALLOW_PROTOCOL && | ||
175 | + git fetch | ||
176 | + ) | ||
177 | + ' | ||
178 | + | ||
179 | + test_expect_success "push $1 (enabled)" ' | ||
180 | + ( | ||
181 | + cd tmp.git && | ||
182 | + GIT_ALLOW_PROTOCOL=$proto && | ||
183 | + export GIT_ALLOW_PROTOCOL && | ||
184 | + git push origin HEAD:pushed | ||
185 | + ) | ||
186 | + ' | ||
187 | + | ||
188 | + test_expect_success "push $1 (disabled)" ' | ||
189 | + ( | ||
190 | + cd tmp.git && | ||
191 | + GIT_ALLOW_PROTOCOL=none && | ||
192 | + export GIT_ALLOW_PROTOCOL && | ||
193 | + test_must_fail git push origin HEAD:pushed | ||
194 | + ) | ||
195 | + ' | ||
196 | + | ||
197 | + test_expect_success "fetch $1 (disabled)" ' | ||
198 | + ( | ||
199 | + cd tmp.git && | ||
200 | + GIT_ALLOW_PROTOCOL=none && | ||
201 | + export GIT_ALLOW_PROTOCOL && | ||
202 | + test_must_fail git fetch | ||
203 | + ) | ||
204 | + ' | ||
205 | + | ||
206 | + test_expect_success "clone $1 (disabled)" ' | ||
207 | + rm -rf tmp.git && | ||
208 | + ( | ||
209 | + GIT_ALLOW_PROTOCOL=none && | ||
210 | + export GIT_ALLOW_PROTOCOL && | ||
211 | + test_must_fail git clone --bare "$url" tmp.git | ||
212 | + ) | ||
213 | + ' | ||
214 | +} | ||
215 | + | ||
216 | +# set up an ssh wrapper that will access $host/$repo in the | ||
217 | +# trash directory, and enable it for subsequent tests. | ||
218 | +setup_ssh_wrapper () { | ||
219 | + test_expect_success 'setup ssh wrapper' ' | ||
220 | + write_script ssh-wrapper <<-\EOF && | ||
221 | + echo >&2 "ssh: $*" | ||
222 | + host=$1; shift | ||
223 | + cd "$TRASH_DIRECTORY/$host" && | ||
224 | + eval "$*" | ||
225 | + EOF | ||
226 | + GIT_SSH="$PWD/ssh-wrapper" && | ||
227 | + export GIT_SSH && | ||
228 | + export TRASH_DIRECTORY | ||
229 | + ' | ||
230 | +} | ||
231 | + | ||
232 | +# set up a wrapper that can be used with remote-ext to | ||
233 | +# access repositories in the "remote" directory of trash-dir, | ||
234 | +# like "ext::fake-remote %S repo.git" | ||
235 | +setup_ext_wrapper () { | ||
236 | + test_expect_success 'setup ext wrapper' ' | ||
237 | + write_script fake-remote <<-\EOF && | ||
238 | + echo >&2 "fake-remote: $*" | ||
239 | + cd "$TRASH_DIRECTORY/remote" && | ||
240 | + eval "$*" | ||
241 | + EOF | ||
242 | + PATH=$TRASH_DIRECTORY:$PATH && | ||
243 | + export TRASH_DIRECTORY | ||
244 | + ' | ||
245 | +} | ||
246 | Index: git-2.3.0/t/t5810-proto-disable-local.sh | ||
247 | =================================================================== | ||
248 | --- /dev/null | ||
249 | +++ git-2.3.0/t/t5810-proto-disable-local.sh | ||
250 | @@ -0,0 +1,14 @@ | ||
251 | +#!/bin/sh | ||
252 | + | ||
253 | +test_description='test disabling of local paths in clone/fetch' | ||
254 | +. ./test-lib.sh | ||
255 | +. "$TEST_DIRECTORY/lib-proto-disable.sh" | ||
256 | + | ||
257 | +test_expect_success 'setup repository to clone' ' | ||
258 | + test_commit one | ||
259 | +' | ||
260 | + | ||
261 | +test_proto "file://" file "file://$PWD" | ||
262 | +test_proto "path" file . | ||
263 | + | ||
264 | +test_done | ||
265 | Index: git-2.3.0/t/t5811-proto-disable-git.sh | ||
266 | =================================================================== | ||
267 | --- /dev/null | ||
268 | +++ git-2.3.0/t/t5811-proto-disable-git.sh | ||
269 | @@ -0,0 +1,20 @@ | ||
270 | +#!/bin/sh | ||
271 | + | ||
272 | +test_description='test disabling of git-over-tcp in clone/fetch' | ||
273 | +. ./test-lib.sh | ||
274 | +. "$TEST_DIRECTORY/lib-proto-disable.sh" | ||
275 | +. "$TEST_DIRECTORY/lib-git-daemon.sh" | ||
276 | +start_git_daemon | ||
277 | + | ||
278 | +test_expect_success 'create git-accessible repo' ' | ||
279 | + bare="$GIT_DAEMON_DOCUMENT_ROOT_PATH/repo.git" && | ||
280 | + test_commit one && | ||
281 | + git --bare init "$bare" && | ||
282 | + git push "$bare" HEAD && | ||
283 | + >"$bare/git-daemon-export-ok" && | ||
284 | + git -C "$bare" config daemon.receivepack true | ||
285 | +' | ||
286 | + | ||
287 | +test_proto "git://" git "$GIT_DAEMON_URL/repo.git" | ||
288 | + | ||
289 | +test_done | ||
290 | Index: git-2.3.0/t/t5812-proto-disable-http.sh | ||
291 | =================================================================== | ||
292 | --- /dev/null | ||
293 | +++ git-2.3.0/t/t5812-proto-disable-http.sh | ||
294 | @@ -0,0 +1,20 @@ | ||
295 | +#!/bin/sh | ||
296 | + | ||
297 | +test_description='test disabling of git-over-http in clone/fetch' | ||
298 | +. ./test-lib.sh | ||
299 | +. "$TEST_DIRECTORY/lib-proto-disable.sh" | ||
300 | +. "$TEST_DIRECTORY/lib-httpd.sh" | ||
301 | +start_httpd | ||
302 | + | ||
303 | +test_expect_success 'create git-accessible repo' ' | ||
304 | + bare="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" && | ||
305 | + test_commit one && | ||
306 | + git --bare init "$bare" && | ||
307 | + git push "$bare" HEAD && | ||
308 | + git -C "$bare" config http.receivepack true | ||
309 | +' | ||
310 | + | ||
311 | +test_proto "smart http" http "$HTTPD_URL/smart/repo.git" | ||
312 | + | ||
313 | +stop_httpd | ||
314 | +test_done | ||
315 | Index: git-2.3.0/t/t5813-proto-disable-ssh.sh | ||
316 | =================================================================== | ||
317 | --- /dev/null | ||
318 | +++ git-2.3.0/t/t5813-proto-disable-ssh.sh | ||
319 | @@ -0,0 +1,20 @@ | ||
320 | +#!/bin/sh | ||
321 | + | ||
322 | +test_description='test disabling of git-over-ssh in clone/fetch' | ||
323 | +. ./test-lib.sh | ||
324 | +. "$TEST_DIRECTORY/lib-proto-disable.sh" | ||
325 | + | ||
326 | +setup_ssh_wrapper | ||
327 | + | ||
328 | +test_expect_success 'setup repository to clone' ' | ||
329 | + test_commit one && | ||
330 | + mkdir remote && | ||
331 | + git init --bare remote/repo.git && | ||
332 | + git push remote/repo.git HEAD | ||
333 | +' | ||
334 | + | ||
335 | +test_proto "host:path" ssh "remote:repo.git" | ||
336 | +test_proto "ssh://" ssh "ssh://remote/$PWD/remote/repo.git" | ||
337 | +test_proto "git+ssh://" ssh "git+ssh://remote/$PWD/remote/repo.git" | ||
338 | + | ||
339 | +test_done | ||
340 | Index: git-2.3.0/t/t5814-proto-disable-ext.sh | ||
341 | =================================================================== | ||
342 | --- /dev/null | ||
343 | +++ git-2.3.0/t/t5814-proto-disable-ext.sh | ||
344 | @@ -0,0 +1,18 @@ | ||
345 | +#!/bin/sh | ||
346 | + | ||
347 | +test_description='test disabling of remote-helper paths in clone/fetch' | ||
348 | +. ./test-lib.sh | ||
349 | +. "$TEST_DIRECTORY/lib-proto-disable.sh" | ||
350 | + | ||
351 | +setup_ext_wrapper | ||
352 | + | ||
353 | +test_expect_success 'setup repository to clone' ' | ||
354 | + test_commit one && | ||
355 | + mkdir remote && | ||
356 | + git init --bare remote/repo.git && | ||
357 | + git push remote/repo.git HEAD | ||
358 | +' | ||
359 | + | ||
360 | +test_proto "remote-helper" ext "ext::fake-remote %S repo.git" | ||
361 | + | ||
362 | +test_done | ||
363 | Index: git-2.3.0/transport-helper.c | ||
364 | =================================================================== | ||
365 | --- git-2.3.0.orig/transport-helper.c | ||
366 | +++ git-2.3.0/transport-helper.c | ||
367 | @@ -1036,6 +1036,8 @@ int transport_helper_init(struct transpo | ||
368 | struct helper_data *data = xcalloc(1, sizeof(*data)); | ||
369 | data->name = name; | ||
370 | |||
371 | + transport_check_allowed(name); | ||
372 | + | ||
373 | if (getenv("GIT_TRANSPORT_HELPER_DEBUG")) | ||
374 | debug = 1; | ||
375 | |||
376 | Index: git-2.3.0/transport.c | ||
377 | =================================================================== | ||
378 | --- git-2.3.0.orig/transport.c | ||
379 | +++ git-2.3.0/transport.c | ||
380 | @@ -907,6 +907,20 @@ static int external_specification_len(co | ||
381 | return strchr(url, ':') - url; | ||
382 | } | ||
383 | |||
384 | +void transport_check_allowed(const char *type) | ||
385 | +{ | ||
386 | + struct string_list allowed = STRING_LIST_INIT_DUP; | ||
387 | + const char *v = getenv("GIT_ALLOW_PROTOCOL"); | ||
388 | + | ||
389 | + if (!v) | ||
390 | + return; | ||
391 | + | ||
392 | + string_list_split(&allowed, v, ':', -1); | ||
393 | + if (!unsorted_string_list_has_string(&allowed, type)) | ||
394 | + die("transport '%s' not allowed", type); | ||
395 | + string_list_clear(&allowed, 0); | ||
396 | +} | ||
397 | + | ||
398 | struct transport *transport_get(struct remote *remote, const char *url) | ||
399 | { | ||
400 | const char *helper; | ||
401 | @@ -938,12 +952,14 @@ struct transport *transport_get(struct r | ||
402 | if (helper) { | ||
403 | transport_helper_init(ret, helper); | ||
404 | } else if (starts_with(url, "rsync:")) { | ||
405 | + transport_check_allowed("rsync"); | ||
406 | ret->get_refs_list = get_refs_via_rsync; | ||
407 | ret->fetch = fetch_objs_via_rsync; | ||
408 | ret->push = rsync_transport_push; | ||
409 | ret->smart_options = NULL; | ||
410 | } else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) { | ||
411 | struct bundle_transport_data *data = xcalloc(1, sizeof(*data)); | ||
412 | + transport_check_allowed("file"); | ||
413 | ret->data = data; | ||
414 | ret->get_refs_list = get_refs_from_bundle; | ||
415 | ret->fetch = fetch_refs_from_bundle; | ||
416 | @@ -955,7 +971,10 @@ struct transport *transport_get(struct r | ||
417 | || starts_with(url, "ssh://") | ||
418 | || starts_with(url, "git+ssh://") | ||
419 | || starts_with(url, "ssh+git://")) { | ||
420 | - /* These are builtin smart transports. */ | ||
421 | + /* | ||
422 | + * These are builtin smart transports; "allowed" transports | ||
423 | + * will be checked individually in git_connect. | ||
424 | + */ | ||
425 | struct git_transport_data *data = xcalloc(1, sizeof(*data)); | ||
426 | ret->data = data; | ||
427 | ret->set_option = NULL; | ||
428 | Index: git-2.3.0/transport.h | ||
429 | =================================================================== | ||
430 | --- git-2.3.0.orig/transport.h | ||
431 | +++ git-2.3.0/transport.h | ||
432 | @@ -132,6 +132,13 @@ struct transport { | ||
433 | /* Returns a transport suitable for the url */ | ||
434 | struct transport *transport_get(struct remote *, const char *); | ||
435 | |||
436 | +/* | ||
437 | + * Check whether a transport is allowed by the environment, | ||
438 | + * and die otherwise. type should generally be the URL scheme, | ||
439 | + * as described in Documentation/git.txt | ||
440 | + */ | ||
441 | +void transport_check_allowed(const char *type); | ||
442 | + | ||
443 | /* Transport options which apply to git:// and scp-style URLs */ | ||
444 | |||
445 | /* The program to use on the remote side to send a pack */ | ||
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch new file mode 100644 index 0000000000..8912b6a48e --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Wed, 16 Sep 2015 13:13:12 -0400 | ||
4 | Subject: [PATCH] submodule: allow only certain protocols for submodule fetches | ||
5 | |||
6 | Some protocols (like git-remote-ext) can execute arbitrary | ||
7 | code found in the URL. The URLs that submodules use may come | ||
8 | from arbitrary sources (e.g., .gitmodules files in a remote | ||
9 | repository). Let's restrict submodules to fetching from a | ||
10 | known-good subset of protocols. | ||
11 | |||
12 | Note that we apply this restriction to all submodule | ||
13 | commands, whether the URL comes from .gitmodules or not. | ||
14 | This is more restrictive than we need to be; for example, in | ||
15 | the tests we run: | ||
16 | |||
17 | git submodule add ext::... | ||
18 | |||
19 | which should be trusted, as the URL comes directly from the | ||
20 | command line provided by the user. But doing it this way is | ||
21 | simpler, and makes it much less likely that we would miss a | ||
22 | case. And since such protocols should be an exception | ||
23 | (especially because nobody who clones from them will be able | ||
24 | to update the submodules!), it's not likely to inconvenience | ||
25 | anyone in practice. | ||
26 | |||
27 | Reported-by: Blake Burkhart <bburky@bburky.com> | ||
28 | Signed-off-by: Jeff King <peff@peff.net> | ||
29 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/ | ||
33 | CVE: CVE-2015-7545 patch #1 | ||
34 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
35 | |||
36 | --- | ||
37 | git-submodule.sh | 9 +++++++++ | ||
38 | t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ | ||
39 | 2 files changed, 52 insertions(+) | ||
40 | create mode 100755 t/t5815-submodule-protos.sh | ||
41 | |||
42 | diff --git a/git-submodule.sh b/git-submodule.sh | ||
43 | index 36797c3..78c2740 100755 | ||
44 | --- a/git-submodule.sh | ||
45 | +++ b/git-submodule.sh | ||
46 | @@ -22,6 +22,15 @@ require_work_tree | ||
47 | wt_prefix=$(git rev-parse --show-prefix) | ||
48 | cd_to_toplevel | ||
49 | |||
50 | +# Restrict ourselves to a vanilla subset of protocols; the URLs | ||
51 | +# we get are under control of a remote repository, and we do not | ||
52 | +# want them kicking off arbitrary git-remote-* programs. | ||
53 | +# | ||
54 | +# If the user has already specified a set of allowed protocols, | ||
55 | +# we assume they know what they're doing and use that instead. | ||
56 | +: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} | ||
57 | +export GIT_ALLOW_PROTOCOL | ||
58 | + | ||
59 | command= | ||
60 | branch= | ||
61 | force= | ||
62 | diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh | ||
63 | new file mode 100755 | ||
64 | index 0000000..06f55a1 | ||
65 | --- /dev/null | ||
66 | +++ b/t/t5815-submodule-protos.sh | ||
67 | @@ -0,0 +1,43 @@ | ||
68 | +#!/bin/sh | ||
69 | + | ||
70 | +test_description='test protocol whitelisting with submodules' | ||
71 | +. ./test-lib.sh | ||
72 | +. "$TEST_DIRECTORY"/lib-proto-disable.sh | ||
73 | + | ||
74 | +setup_ext_wrapper | ||
75 | +setup_ssh_wrapper | ||
76 | + | ||
77 | +test_expect_success 'setup repository with submodules' ' | ||
78 | + mkdir remote && | ||
79 | + git init remote/repo.git && | ||
80 | + (cd remote/repo.git && test_commit one) && | ||
81 | + # submodule-add should probably trust what we feed it on the cmdline, | ||
82 | + # but its implementation is overly conservative. | ||
83 | + GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module && | ||
84 | + GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module && | ||
85 | + git commit -m "add submodules" | ||
86 | +' | ||
87 | + | ||
88 | +test_expect_success 'clone with recurse-submodules fails' ' | ||
89 | + test_must_fail git clone --recurse-submodules . dst | ||
90 | +' | ||
91 | + | ||
92 | +test_expect_success 'setup individual updates' ' | ||
93 | + rm -rf dst && | ||
94 | + git clone . dst && | ||
95 | + git -C dst submodule init | ||
96 | +' | ||
97 | + | ||
98 | +test_expect_success 'update of ssh allowed' ' | ||
99 | + git -C dst submodule update ssh-module | ||
100 | +' | ||
101 | + | ||
102 | +test_expect_success 'update of ext not allowed' ' | ||
103 | + test_must_fail git -C dst submodule update ext-module | ||
104 | +' | ||
105 | + | ||
106 | +test_expect_success 'user can override whitelist' ' | ||
107 | + GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module | ||
108 | +' | ||
109 | + | ||
110 | +test_done | ||
111 | -- | ||
112 | 2.3.5 | ||
113 | |||
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch new file mode 100644 index 0000000000..623da07460 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From 5088d3b38775f8ac12d7f77636775b16059b67ef Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Tue, 22 Sep 2015 18:03:49 -0400 | ||
4 | Subject: [PATCH] transport: refactor protocol whitelist code | ||
5 | |||
6 | The current callers only want to die when their transport is | ||
7 | prohibited. But future callers want to query the mechanism | ||
8 | without dying. | ||
9 | |||
10 | Let's break out a few query functions, and also save the | ||
11 | results in a static list so we don't have to re-parse for | ||
12 | each query. | ||
13 | |||
14 | Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com> | ||
15 | Signed-off-by: Jeff King <peff@peff.net> | ||
16 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/ | ||
20 | CVE: CVE-2015-7545 patch #1 | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | transport.c | 38 ++++++++++++++++++++++++++++++-------- | ||
25 | transport.h | 15 +++++++++++++-- | ||
26 | 2 files changed, 43 insertions(+), 10 deletions(-) | ||
27 | |||
28 | Index: git-2.3.0/transport.c | ||
29 | =================================================================== | ||
30 | --- git-2.3.0.orig/transport.c | ||
31 | +++ git-2.3.0/transport.c | ||
32 | @@ -907,18 +907,40 @@ static int external_specification_len(co | ||
33 | return strchr(url, ':') - url; | ||
34 | } | ||
35 | |||
36 | -void transport_check_allowed(const char *type) | ||
37 | +static const struct string_list *protocol_whitelist(void) | ||
38 | { | ||
39 | - struct string_list allowed = STRING_LIST_INIT_DUP; | ||
40 | - const char *v = getenv("GIT_ALLOW_PROTOCOL"); | ||
41 | + static int enabled = -1; | ||
42 | + static struct string_list allowed = STRING_LIST_INIT_DUP; | ||
43 | + | ||
44 | + if (enabled < 0) { | ||
45 | + const char *v = getenv("GIT_ALLOW_PROTOCOL"); | ||
46 | + if (v) { | ||
47 | + string_list_split(&allowed, v, ':', -1); | ||
48 | + string_list_sort(&allowed); | ||
49 | + enabled = 1; | ||
50 | + } else { | ||
51 | + enabled = 0; | ||
52 | + } | ||
53 | + } | ||
54 | + | ||
55 | + return enabled ? &allowed : NULL; | ||
56 | +} | ||
57 | |||
58 | - if (!v) | ||
59 | - return; | ||
60 | +int is_transport_allowed(const char *type) | ||
61 | +{ | ||
62 | + const struct string_list *allowed = protocol_whitelist(); | ||
63 | + return !allowed || string_list_has_string(allowed, type); | ||
64 | +} | ||
65 | |||
66 | - string_list_split(&allowed, v, ':', -1); | ||
67 | - if (!unsorted_string_list_has_string(&allowed, type)) | ||
68 | +void transport_check_allowed(const char *type) | ||
69 | +{ | ||
70 | + if (!is_transport_allowed(type)) | ||
71 | die("transport '%s' not allowed", type); | ||
72 | - string_list_clear(&allowed, 0); | ||
73 | +} | ||
74 | + | ||
75 | +int transport_restrict_protocols(void) | ||
76 | +{ | ||
77 | + return !!protocol_whitelist(); | ||
78 | } | ||
79 | |||
80 | struct transport *transport_get(struct remote *remote, const char *url) | ||
81 | Index: git-2.3.0/transport.h | ||
82 | =================================================================== | ||
83 | --- git-2.3.0.orig/transport.h | ||
84 | +++ git-2.3.0/transport.h | ||
85 | @@ -133,12 +133,23 @@ struct transport { | ||
86 | struct transport *transport_get(struct remote *, const char *); | ||
87 | |||
88 | /* | ||
89 | + * Check whether a transport is allowed by the environment. Type should | ||
90 | + * generally be the URL scheme, as described in Documentation/git.txt | ||
91 | + */ | ||
92 | +int is_transport_allowed(const char *type); | ||
93 | + | ||
94 | +/* | ||
95 | * Check whether a transport is allowed by the environment, | ||
96 | - * and die otherwise. type should generally be the URL scheme, | ||
97 | - * as described in Documentation/git.txt | ||
98 | + * and die otherwise. | ||
99 | */ | ||
100 | void transport_check_allowed(const char *type); | ||
101 | |||
102 | +/* | ||
103 | + * Returns true if the user has attempted to turn on protocol | ||
104 | + * restrictions at all. | ||
105 | + */ | ||
106 | +int transport_restrict_protocols(void); | ||
107 | + | ||
108 | /* Transport options which apply to git:// and scp-style URLs */ | ||
109 | |||
110 | /* The program to use on the remote side to send a pack */ | ||
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch new file mode 100644 index 0000000000..fafd3c2033 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | From f4113cac0c88b4f36ee6f3abf3218034440a68e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Blake Burkhart <bburky@bburky.com> | ||
3 | Date: Tue, 22 Sep 2015 18:06:04 -0400 | ||
4 | Subject: [PATCH] http: limit redirection to protocol-whitelist | ||
5 | |||
6 | Previously, libcurl would follow redirection to any protocol | ||
7 | it was compiled for support with. This is desirable to allow | ||
8 | redirection from HTTP to HTTPS. However, it would even | ||
9 | successfully allow redirection from HTTP to SFTP, a protocol | ||
10 | that git does not otherwise support at all. Furthermore | ||
11 | git's new protocol-whitelisting could be bypassed by | ||
12 | following a redirect within the remote helper, as it was | ||
13 | only enforced at transport selection time. | ||
14 | |||
15 | This patch limits redirects within libcurl to HTTP, HTTPS, | ||
16 | FTP and FTPS. If there is a protocol-whitelist present, this | ||
17 | list is limited to those also allowed by the whitelist. As | ||
18 | redirection happens from within libcurl, it is impossible | ||
19 | for an HTTP redirect to a protocol implemented within | ||
20 | another remote helper. | ||
21 | |||
22 | When the curl version git was compiled with is too old to | ||
23 | support restrictions on protocol redirection, we warn the | ||
24 | user if GIT_ALLOW_PROTOCOL restrictions were requested. This | ||
25 | is a little inaccurate, as even without that variable in the | ||
26 | environment, we would still restrict SFTP, etc, and we do | ||
27 | not warn in that case. But anything else means we would | ||
28 | literally warn every time git accesses an http remote. | ||
29 | |||
30 | This commit includes a test, but it is not as robust as we | ||
31 | would hope. It redirects an http request to ftp, and checks | ||
32 | that curl complained about the protocol, which means that we | ||
33 | are relying on curl's specific error message to know what | ||
34 | happened. Ideally we would redirect to a working ftp server | ||
35 | and confirm that we can clone without protocol restrictions, | ||
36 | and not with them. But we do not have a portable way of | ||
37 | providing an ftp server, nor any other protocol that curl | ||
38 | supports (https is the closest, but we would have to deal | ||
39 | with certificates). | ||
40 | |||
41 | [jk: added test and version warning] | ||
42 | |||
43 | Signed-off-by: Jeff King <peff@peff.net> | ||
44 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
45 | |||
46 | Upstream-Status: Backport | ||
47 | https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/ | ||
48 | CVE: CVE-2015-7545 patch #1 | ||
49 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
50 | |||
51 | --- | ||
52 | Documentation/git.txt | 5 ----- | ||
53 | http.c | 17 +++++++++++++++++ | ||
54 | t/lib-httpd/apache.conf | 1 + | ||
55 | t/t5812-proto-disable-http.sh | 9 +++++++++ | ||
56 | 4 files changed, 27 insertions(+), 5 deletions(-) | ||
57 | |||
58 | Index: git-2.3.0/Documentation/git.txt | ||
59 | =================================================================== | ||
60 | --- git-2.3.0.orig/Documentation/git.txt | ||
61 | +++ git-2.3.0/Documentation/git.txt | ||
62 | @@ -1049,11 +1049,6 @@ GIT_ICASE_PATHSPECS:: | ||
63 | |||
64 | - any external helpers are named by their protocol (e.g., use | ||
65 | `hg` to allow the `git-remote-hg` helper) | ||
66 | -+ | ||
67 | -Note that this controls only git's internal protocol selection. | ||
68 | -If libcurl is used (e.g., by the `http` transport), it may | ||
69 | -redirect to other protocols. There is not currently any way to | ||
70 | -restrict this. | ||
71 | |||
72 | |||
73 | Discussion[[Discussion]] | ||
74 | Index: git-2.3.0/http.c | ||
75 | =================================================================== | ||
76 | --- git-2.3.0.orig/http.c | ||
77 | +++ git-2.3.0/http.c | ||
78 | @@ -8,6 +8,7 @@ | ||
79 | #include "credential.h" | ||
80 | #include "version.h" | ||
81 | #include "pkt-line.h" | ||
82 | +#include "transport.h" | ||
83 | |||
84 | int active_requests; | ||
85 | int http_is_verbose; | ||
86 | @@ -300,6 +301,7 @@ static void set_curl_keepalive(CURL *c) | ||
87 | static CURL *get_curl_handle(void) | ||
88 | { | ||
89 | CURL *result = curl_easy_init(); | ||
90 | + long allowed_protocols = 0; | ||
91 | |||
92 | if (!result) | ||
93 | die("curl_easy_init failed"); | ||
94 | @@ -352,6 +354,21 @@ static CURL *get_curl_handle(void) | ||
95 | #elif LIBCURL_VERSION_NUM >= 0x071101 | ||
96 | curl_easy_setopt(result, CURLOPT_POST301, 1); | ||
97 | #endif | ||
98 | +#if LIBCURL_VERSION_NUM >= 0x071304 | ||
99 | + if (is_transport_allowed("http")) | ||
100 | + allowed_protocols |= CURLPROTO_HTTP; | ||
101 | + if (is_transport_allowed("https")) | ||
102 | + allowed_protocols |= CURLPROTO_HTTPS; | ||
103 | + if (is_transport_allowed("ftp")) | ||
104 | + allowed_protocols |= CURLPROTO_FTP; | ||
105 | + if (is_transport_allowed("ftps")) | ||
106 | + allowed_protocols |= CURLPROTO_FTPS; | ||
107 | + curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols); | ||
108 | +#else | ||
109 | + if (transport_restrict_protocols()) | ||
110 | + warning("protocol restrictions not applied to curl redirects because\n" | ||
111 | + "your curl version is too old (>= 7.19.4)"); | ||
112 | +#endif | ||
113 | |||
114 | if (getenv("GIT_CURL_VERBOSE")) | ||
115 | curl_easy_setopt(result, CURLOPT_VERBOSE, 1); | ||
116 | Index: git-2.3.0/t/lib-httpd/apache.conf | ||
117 | =================================================================== | ||
118 | --- git-2.3.0.orig/t/lib-httpd/apache.conf | ||
119 | +++ git-2.3.0/t/lib-httpd/apache.conf | ||
120 | @@ -118,6 +118,7 @@ RewriteRule ^/smart-redir-perm/(.*)$ /sm | ||
121 | RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302] | ||
122 | RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301] | ||
123 | RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301] | ||
124 | +RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302] | ||
125 | |||
126 | <IfDefine SSL> | ||
127 | LoadModule ssl_module modules/mod_ssl.so | ||
128 | Index: git-2.3.0/t/t5812-proto-disable-http.sh | ||
129 | =================================================================== | ||
130 | --- git-2.3.0.orig/t/t5812-proto-disable-http.sh | ||
131 | +++ git-2.3.0/t/t5812-proto-disable-http.sh | ||
132 | @@ -16,5 +16,14 @@ test_expect_success 'create git-accessib | ||
133 | |||
134 | test_proto "smart http" http "$HTTPD_URL/smart/repo.git" | ||
135 | |||
136 | +test_expect_success 'curl redirects respect whitelist' ' | ||
137 | + test_must_fail env GIT_ALLOW_PROTOCOL=http:https \ | ||
138 | + git clone "$HTTPD_URL/ftp-redir/repo.git" 2>stderr && | ||
139 | + { | ||
140 | + test_i18ngrep "ftp.*disabled" stderr || | ||
141 | + test_i18ngrep "your curl version is too old" | ||
142 | + } | ||
143 | +' | ||
144 | + | ||
145 | stop_httpd | ||
146 | test_done | ||
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch new file mode 100644 index 0000000000..32dfbaedbe --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From b258116462399b318c86165c61a5c7123043cfd4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Blake Burkhart <bburky@bburky.com> | ||
3 | Date: Tue, 22 Sep 2015 18:06:20 -0400 | ||
4 | Subject: [PATCH] http: limit redirection depth | ||
5 | |||
6 | By default, libcurl will follow circular http redirects | ||
7 | forever. Let's put a cap on this so that somebody who can | ||
8 | trigger an automated fetch of an arbitrary repository (e.g., | ||
9 | for CI) cannot convince git to loop infinitely. | ||
10 | |||
11 | The value chosen is 20, which is the same default that | ||
12 | Firefox uses. | ||
13 | |||
14 | Signed-off-by: Jeff King <peff@peff.net> | ||
15 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/ | ||
19 | CVE: CVE-2015-7545 patch #1 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | http.c | 1 + | ||
24 | t/lib-httpd/apache.conf | 3 +++ | ||
25 | t/t5812-proto-disable-http.sh | 4 ++++ | ||
26 | 3 files changed, 8 insertions(+) | ||
27 | |||
28 | Index: git-2.3.0/http.c | ||
29 | =================================================================== | ||
30 | --- git-2.3.0.orig/http.c | ||
31 | +++ git-2.3.0/http.c | ||
32 | @@ -349,6 +349,7 @@ static CURL *get_curl_handle(void) | ||
33 | } | ||
34 | |||
35 | curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1); | ||
36 | + curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20); | ||
37 | #if LIBCURL_VERSION_NUM >= 0x071301 | ||
38 | curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL); | ||
39 | #elif LIBCURL_VERSION_NUM >= 0x071101 | ||
40 | Index: git-2.3.0/t/lib-httpd/apache.conf | ||
41 | =================================================================== | ||
42 | --- git-2.3.0.orig/t/lib-httpd/apache.conf | ||
43 | +++ git-2.3.0/t/lib-httpd/apache.conf | ||
44 | @@ -120,6 +120,9 @@ RewriteRule ^/smart-redir-auth/(.*)$ /au | ||
45 | RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301] | ||
46 | RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302] | ||
47 | |||
48 | +RewriteRule ^/loop-redir/x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-(.*) /$1 [R=302] | ||
49 | +RewriteRule ^/loop-redir/(.*)$ /loop-redir/x-$1 [R=302] | ||
50 | + | ||
51 | <IfDefine SSL> | ||
52 | LoadModule ssl_module modules/mod_ssl.so | ||
53 | |||
54 | Index: git-2.3.0/t/t5812-proto-disable-http.sh | ||
55 | =================================================================== | ||
56 | --- git-2.3.0.orig/t/t5812-proto-disable-http.sh | ||
57 | +++ git-2.3.0/t/t5812-proto-disable-http.sh | ||
58 | @@ -25,5 +25,9 @@ test_expect_success 'curl redirects resp | ||
59 | } | ||
60 | ' | ||
61 | |||
62 | +test_expect_success 'curl limits redirects' ' | ||
63 | + test_must_fail git clone "$HTTPD_URL/loop-redir/smart/repo.git" | ||
64 | +' | ||
65 | + | ||
66 | stop_httpd | ||
67 | test_done | ||
diff --git a/meta/recipes-devtools/git/git_2.3.0.bb b/meta/recipes-devtools/git/git_2.3.0.bb index 1611f6421b..2575ed34cf 100644 --- a/meta/recipes-devtools/git/git_2.3.0.bb +++ b/meta/recipes-devtools/git/git_2.3.0.bb | |||
@@ -1,5 +1,12 @@ | |||
1 | require git.inc | 1 | require git.inc |
2 | 2 | ||
3 | SRC_URI += "\ | ||
4 | file://CVE-2015-7545_1.patch \ | ||
5 | file://CVE-2015-7545_2.patch \ | ||
6 | file://CVE-2015-7545_3.patch \ | ||
7 | file://CVE-2015-7545_4.patch \ | ||
8 | file://CVE-2015-7545_5.patch \ | ||
9 | " | ||
3 | SRC_URI[tarball.md5sum] = "edf994cf34cd3354dadcdfa6b4292335" | 10 | SRC_URI[tarball.md5sum] = "edf994cf34cd3354dadcdfa6b4292335" |
4 | SRC_URI[tarball.sha256sum] = "ba2fe814e709a5d0f034ebe82083fce7feed0899b3a8c8b3adf1c5a85d1ce9ac" | 11 | SRC_URI[tarball.sha256sum] = "ba2fe814e709a5d0f034ebe82083fce7feed0899b3a8c8b3adf1c5a85d1ce9ac" |
5 | SRC_URI[manpages.md5sum] = "620797eb73b281d0706979ae8038bbd7" | 12 | SRC_URI[manpages.md5sum] = "620797eb73b281d0706979ae8038bbd7" |