diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2023-22490-3.patch')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2023-22490-3.patch | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch new file mode 100644 index 0000000000..08fb7f840b --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch | |||
@@ -0,0 +1,154 @@ | |||
1 | From bffc762f87ae8d18c6001bf0044a76004245754c Mon Sep 17 00:00:00 2001 | ||
2 | From: Taylor Blau <me@ttaylorr.com> | ||
3 | Date: Tue, 24 Jan 2023 19:43:51 -0500 | ||
4 | Subject: [PATCH 3/3] dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS | ||
5 | |||
6 | When using the dir_iterator API, we first stat(2) the base path, and | ||
7 | then use that as a starting point to enumerate the directory's contents. | ||
8 | |||
9 | If the directory contains symbolic links, we will immediately die() upon | ||
10 | encountering them without the `FOLLOW_SYMLINKS` flag. The same is not | ||
11 | true when resolving the top-level directory, though. | ||
12 | |||
13 | As explained in a previous commit, this oversight in 6f054f9 | ||
14 | (builtin/clone.c: disallow `--local` clones with symlinks, 2022-07-28) | ||
15 | can be used as an attack vector to include arbitrary files on a victim's | ||
16 | filesystem from outside of the repository. | ||
17 | |||
18 | Prevent resolving top-level symlinks unless the FOLLOW_SYMLINKS flag is | ||
19 | given, which will cause clones of a repository with a symlink'd | ||
20 | "$GIT_DIR/objects" directory to fail. | ||
21 | |||
22 | Signed-off-by: Taylor Blau <me@ttaylorr.com> | ||
23 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | [https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c] | ||
27 | CVE: CVE-2023-22490 | ||
28 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
29 | --- | ||
30 | dir-iterator.c | 13 +++++++++---- | ||
31 | dir-iterator.h | 5 +++++ | ||
32 | t/t0066-dir-iterator.sh | 27 ++++++++++++++++++++++++++- | ||
33 | t/t5604-clone-reference.sh | 16 ++++++++++++++++ | ||
34 | 4 files changed, 56 insertions(+), 5 deletions(-) | ||
35 | |||
36 | diff --git a/dir-iterator.c b/dir-iterator.c | ||
37 | index b17e9f9..3764dd8 100644 | ||
38 | --- a/dir-iterator.c | ||
39 | +++ b/dir-iterator.c | ||
40 | @@ -203,7 +203,7 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags) | ||
41 | { | ||
42 | struct dir_iterator_int *iter = xcalloc(1, sizeof(*iter)); | ||
43 | struct dir_iterator *dir_iterator = &iter->base; | ||
44 | - int saved_errno; | ||
45 | + int saved_errno, err; | ||
46 | |||
47 | strbuf_init(&iter->base.path, PATH_MAX); | ||
48 | strbuf_addstr(&iter->base.path, path); | ||
49 | @@ -213,10 +213,15 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags) | ||
50 | iter->flags = flags; | ||
51 | |||
52 | /* | ||
53 | - * Note: stat already checks for NULL or empty strings and | ||
54 | - * inexistent paths. | ||
55 | + * Note: stat/lstat already checks for NULL or empty strings and | ||
56 | + * nonexistent paths. | ||
57 | */ | ||
58 | - if (stat(iter->base.path.buf, &iter->base.st) < 0) { | ||
59 | + if (iter->flags & DIR_ITERATOR_FOLLOW_SYMLINKS) | ||
60 | + err = stat(iter->base.path.buf, &iter->base.st); | ||
61 | + else | ||
62 | + err = lstat(iter->base.path.buf, &iter->base.st); | ||
63 | + | ||
64 | + if (err < 0) { | ||
65 | saved_errno = errno; | ||
66 | goto error_out; | ||
67 | } | ||
68 | diff --git a/dir-iterator.h b/dir-iterator.h | ||
69 | index 0822915..e3b6ff2 100644 | ||
70 | --- a/dir-iterator.h | ||
71 | +++ b/dir-iterator.h | ||
72 | @@ -61,6 +61,11 @@ | ||
73 | * not the symlinks themselves, which is the default behavior. Broken | ||
74 | * symlinks are ignored. | ||
75 | * | ||
76 | + * Note: setting DIR_ITERATOR_FOLLOW_SYMLINKS affects resolving the | ||
77 | + * starting path as well (e.g., attempting to iterate starting at a | ||
78 | + * symbolic link pointing to a directory without FOLLOW_SYMLINKS will | ||
79 | + * result in an error). | ||
80 | + * | ||
81 | * Warning: circular symlinks are also followed when | ||
82 | * DIR_ITERATOR_FOLLOW_SYMLINKS is set. The iteration may end up with | ||
83 | * an ELOOP if they happen and DIR_ITERATOR_PEDANTIC is set. | ||
84 | diff --git a/t/t0066-dir-iterator.sh b/t/t0066-dir-iterator.sh | ||
85 | index 92910e4..c826f60 100755 | ||
86 | --- a/t/t0066-dir-iterator.sh | ||
87 | +++ b/t/t0066-dir-iterator.sh | ||
88 | @@ -109,7 +109,9 @@ test_expect_success SYMLINKS 'setup dirs with symlinks' ' | ||
89 | mkdir -p dir5/a/c && | ||
90 | ln -s ../c dir5/a/b/d && | ||
91 | ln -s ../ dir5/a/b/e && | ||
92 | - ln -s ../../ dir5/a/b/f | ||
93 | + ln -s ../../ dir5/a/b/f && | ||
94 | + | ||
95 | + ln -s dir4 dir6 | ||
96 | ' | ||
97 | |||
98 | test_expect_success SYMLINKS 'dir-iterator should not follow symlinks by default' ' | ||
99 | @@ -145,4 +147,27 @@ test_expect_success SYMLINKS 'dir-iterator should follow symlinks w/ follow flag | ||
100 | test_cmp expected-follow-sorted-output actual-follow-sorted-output | ||
101 | ' | ||
102 | |||
103 | +test_expect_success SYMLINKS 'dir-iterator does not resolve top-level symlinks' ' | ||
104 | + test_must_fail test-tool dir-iterator ./dir6 >out && | ||
105 | + | ||
106 | + grep "ENOTDIR" out | ||
107 | +' | ||
108 | + | ||
109 | +test_expect_success SYMLINKS 'dir-iterator resolves top-level symlinks w/ follow flag' ' | ||
110 | + cat >expected-follow-sorted-output <<-EOF && | ||
111 | + [d] (a) [a] ./dir6/a | ||
112 | + [d] (a/f) [f] ./dir6/a/f | ||
113 | + [d] (a/f/c) [c] ./dir6/a/f/c | ||
114 | + [d] (b) [b] ./dir6/b | ||
115 | + [d] (b/c) [c] ./dir6/b/c | ||
116 | + [f] (a/d) [d] ./dir6/a/d | ||
117 | + [f] (a/e) [e] ./dir6/a/e | ||
118 | + EOF | ||
119 | + | ||
120 | + test-tool dir-iterator --follow-symlinks ./dir6 >out && | ||
121 | + sort out >actual-follow-sorted-output && | ||
122 | + | ||
123 | + test_cmp expected-follow-sorted-output actual-follow-sorted-output | ||
124 | +' | ||
125 | + | ||
126 | test_done | ||
127 | diff --git a/t/t5604-clone-reference.sh b/t/t5604-clone-reference.sh | ||
128 | index 4894237..615b981 100755 | ||
129 | --- a/t/t5604-clone-reference.sh | ||
130 | +++ b/t/t5604-clone-reference.sh | ||
131 | @@ -354,4 +354,20 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje | ||
132 | test_must_be_empty T--shared.objects-symlinks.raw | ||
133 | ' | ||
134 | |||
135 | +test_expect_success SYMLINKS 'clone repo with symlinked objects directory' ' | ||
136 | + test_when_finished "rm -fr sensitive malicious" && | ||
137 | + | ||
138 | + mkdir -p sensitive && | ||
139 | + echo "secret" >sensitive/file && | ||
140 | + | ||
141 | + git init malicious && | ||
142 | + rm -fr malicious/.git/objects && | ||
143 | + ln -s "$(pwd)/sensitive" ./malicious/.git/objects && | ||
144 | + | ||
145 | + test_must_fail git clone --local malicious clone 2>err && | ||
146 | + | ||
147 | + test_path_is_missing clone && | ||
148 | + grep "failed to start iterator over" err | ||
149 | +' | ||
150 | + | ||
151 | test_done | ||
152 | -- | ||
153 | 2.25.1 | ||
154 | |||