1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
new file mode 100644
index 0000000000..d6b17a2b8a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Thu, 9 Mar 2023 16:02:54 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+The `git apply --reject` is expected to write out `.rej` files in case
+one or more hunks fail to apply cleanly. Historically, the command
+overwrites any existing `.rej` files. The idea being that
+apply/reject/edit cycles are relatively common, and the generated `.rej`
+files are not considered precious.
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+Reported-by: RyotaK <ryotak.mail@gmail.com>
+Helped-by: Taylor Blau <me@ttaylorr.com>
+Helped-by: Junio C Hamano <gitster@pobox.com>
+Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+CVE: CVE-2023-25652
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ apply.c                  | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+diff --git a/apply.c b/apply.c
+index 4f303bf..aa7111d 100644
+--- a/apply.c
+++ b/apply.c
+@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+        FILE *rej;
+        char namebuf[PATH_MAX];
+        struct fragment *frag;
+-       int cnt = 0;
+       int fd, cnt = 0;
+        struct strbuf sb = STRBUF_INIT;
+ 
+        for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+        memcpy(namebuf, patch->new_name, cnt);
+        memcpy(namebuf + cnt, ".rej", 5);
+ 
+-       rej = fopen(namebuf, "w");
+       fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+       if (fd < 0) {
+               if (errno != EEXIST)
+                       return error_errno(_("cannot open %s"), namebuf);
+               if (unlink(namebuf))
+                       return error_errno(_("cannot unlink '%s'"), namebuf);
+               fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+               if (fd < 0)
+                       return error_errno(_("cannot open %s"), namebuf);
+       }
+       rej = fdopen(fd, "w");
+        if (!rej)
+                return error_errno(_("cannot open %s"), namebuf);
+ 
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 1acb7b2..2b034ff 100755
+--- a/t/t4115-apply-symlink.sh
+++ b/t/t4115-apply-symlink.sh
+@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
+        test_path_is_file .git/delete-me
+ '
+ 
+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
+       test_when_finished "git reset --hard && git clean -dfx" &&
+
+       test_commit file &&
+       echo modified >file.t &&
+       git diff -- file.t >patch &&
+       echo modified-again >file.t &&
+
+       ln -s foo file.t.rej &&
+       test_must_fail git apply patch --reject 2>err &&
+       test_i18ngrep "Rejected hunk" err &&
+       test_path_is_missing foo &&
+       test_path_is_file file.t.rej
+'
+
+ test_done
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/meta/recipes-devtools/git/files/CVE-2023-25652.patch new file mode 100644 index 0000000000..d6b17a2b8a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
	1	From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
	2	From: Johannes Schindelin <johannes.schindelin@gmx.de>
	3	Date: Thu, 9 Mar 2023 16:02:54 +0100
	4	Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
	5	exists
	6
	7	The `git apply --reject` is expected to write out `.rej` files in case
	8	one or more hunks fail to apply cleanly. Historically, the command
	9	overwrites any existing `.rej` files. The idea being that
	10	apply/reject/edit cycles are relatively common, and the generated `.rej`
	11	files are not considered precious.
	12
	13	But the command does not overwrite existing `.rej` symbolic links, and
	14	instead follows them. This is unsafe because the same patch could
	15	potentially create such a symbolic link and point at arbitrary paths
	16	outside the current worktree, and `git apply` would write the contents
	17	of the `.rej` file into that location.
	18
	19	Therefore, let's make sure that any existing `.rej` file or symbolic
	20	link is removed before writing it.
	21
	22	Reported-by: RyotaK <ryotak.mail@gmail.com>
	23	Helped-by: Taylor Blau <me@ttaylorr.com>
	24	Helped-by: Junio C Hamano <gitster@pobox.com>
	25	Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
	26	Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
	27
	28	Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
	29	CVE: CVE-2023-25652
	30	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	31	---
	32	apply.c \| 14 ++++++++++++--
	33	t/t4115-apply-symlink.sh \| 15 +++++++++++++++
	34	2 files changed, 27 insertions(+), 2 deletions(-)
	35
	36	diff --git a/apply.c b/apply.c
	37	index 4f303bf..aa7111d 100644
	38	--- a/apply.c
	39	+++ b/apply.c
	40	@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state state, struct patch patch)
	41	FILE *rej;
	42	char namebuf[PATH_MAX];
	43	struct fragment *frag;
	44	- int cnt = 0;
	45	+ int fd, cnt = 0;
	46	struct strbuf sb = STRBUF_INIT;
	47
	48	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
	49	@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state state, struct patch patch)
	50	memcpy(namebuf, patch->new_name, cnt);
	51	memcpy(namebuf + cnt, ".rej", 5);
	52
	53	- rej = fopen(namebuf, "w");
	54	+ fd = open(namebuf, O_CREAT \| O_EXCL \| O_WRONLY, 0666);
	55	+ if (fd < 0) {
	56	+ if (errno != EEXIST)
	57	+ return error_errno(_("cannot open %s"), namebuf);
	58	+ if (unlink(namebuf))
	59	+ return error_errno(_("cannot unlink '%s'"), namebuf);
	60	+ fd = open(namebuf, O_CREAT \| O_EXCL \| O_WRONLY, 0666);
	61	+ if (fd < 0)
	62	+ return error_errno(_("cannot open %s"), namebuf);
	63	+ }
	64	+ rej = fdopen(fd, "w");
	65	if (!rej)
	66	return error_errno(_("cannot open %s"), namebuf);
	67
	68	diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
	69	index 1acb7b2..2b034ff 100755
	70	--- a/t/t4115-apply-symlink.sh
	71	+++ b/t/t4115-apply-symlink.sh
	72	@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
	73	test_path_is_file .git/delete-me
	74	'
	75
	76	+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
	77	+ test_when_finished "git reset --hard && git clean -dfx" &&
	78	+
	79	+ test_commit file &&
	80	+ echo modified >file.t &&
	81	+ git diff -- file.t >patch &&
	82	+ echo modified-again >file.t &&
	83	+
	84	+ ln -s foo file.t.rej &&
	85	+ test_must_fail git apply patch --reject 2>err &&
	86	+ test_i18ngrep "Rejected hunk" err &&
	87	+ test_path_is_missing foo &&
	88	+ test_path_is_file file.t.rej
	89	+'
	90	+
	91	test_done
	92	--
	93	2.25.1
	94