diff options
Diffstat (limited to 'meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch')
-rw-r--r-- | meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch new file mode 100644 index 0000000000..8912b6a48e --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Wed, 16 Sep 2015 13:13:12 -0400 | ||
4 | Subject: [PATCH] submodule: allow only certain protocols for submodule fetches | ||
5 | |||
6 | Some protocols (like git-remote-ext) can execute arbitrary | ||
7 | code found in the URL. The URLs that submodules use may come | ||
8 | from arbitrary sources (e.g., .gitmodules files in a remote | ||
9 | repository). Let's restrict submodules to fetching from a | ||
10 | known-good subset of protocols. | ||
11 | |||
12 | Note that we apply this restriction to all submodule | ||
13 | commands, whether the URL comes from .gitmodules or not. | ||
14 | This is more restrictive than we need to be; for example, in | ||
15 | the tests we run: | ||
16 | |||
17 | git submodule add ext::... | ||
18 | |||
19 | which should be trusted, as the URL comes directly from the | ||
20 | command line provided by the user. But doing it this way is | ||
21 | simpler, and makes it much less likely that we would miss a | ||
22 | case. And since such protocols should be an exception | ||
23 | (especially because nobody who clones from them will be able | ||
24 | to update the submodules!), it's not likely to inconvenience | ||
25 | anyone in practice. | ||
26 | |||
27 | Reported-by: Blake Burkhart <bburky@bburky.com> | ||
28 | Signed-off-by: Jeff King <peff@peff.net> | ||
29 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/ | ||
33 | CVE: CVE-2015-7545 patch #1 | ||
34 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
35 | |||
36 | --- | ||
37 | git-submodule.sh | 9 +++++++++ | ||
38 | t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ | ||
39 | 2 files changed, 52 insertions(+) | ||
40 | create mode 100755 t/t5815-submodule-protos.sh | ||
41 | |||
42 | diff --git a/git-submodule.sh b/git-submodule.sh | ||
43 | index 36797c3..78c2740 100755 | ||
44 | --- a/git-submodule.sh | ||
45 | +++ b/git-submodule.sh | ||
46 | @@ -22,6 +22,15 @@ require_work_tree | ||
47 | wt_prefix=$(git rev-parse --show-prefix) | ||
48 | cd_to_toplevel | ||
49 | |||
50 | +# Restrict ourselves to a vanilla subset of protocols; the URLs | ||
51 | +# we get are under control of a remote repository, and we do not | ||
52 | +# want them kicking off arbitrary git-remote-* programs. | ||
53 | +# | ||
54 | +# If the user has already specified a set of allowed protocols, | ||
55 | +# we assume they know what they're doing and use that instead. | ||
56 | +: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} | ||
57 | +export GIT_ALLOW_PROTOCOL | ||
58 | + | ||
59 | command= | ||
60 | branch= | ||
61 | force= | ||
62 | diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh | ||
63 | new file mode 100755 | ||
64 | index 0000000..06f55a1 | ||
65 | --- /dev/null | ||
66 | +++ b/t/t5815-submodule-protos.sh | ||
67 | @@ -0,0 +1,43 @@ | ||
68 | +#!/bin/sh | ||
69 | + | ||
70 | +test_description='test protocol whitelisting with submodules' | ||
71 | +. ./test-lib.sh | ||
72 | +. "$TEST_DIRECTORY"/lib-proto-disable.sh | ||
73 | + | ||
74 | +setup_ext_wrapper | ||
75 | +setup_ssh_wrapper | ||
76 | + | ||
77 | +test_expect_success 'setup repository with submodules' ' | ||
78 | + mkdir remote && | ||
79 | + git init remote/repo.git && | ||
80 | + (cd remote/repo.git && test_commit one) && | ||
81 | + # submodule-add should probably trust what we feed it on the cmdline, | ||
82 | + # but its implementation is overly conservative. | ||
83 | + GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module && | ||
84 | + GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module && | ||
85 | + git commit -m "add submodules" | ||
86 | +' | ||
87 | + | ||
88 | +test_expect_success 'clone with recurse-submodules fails' ' | ||
89 | + test_must_fail git clone --recurse-submodules . dst | ||
90 | +' | ||
91 | + | ||
92 | +test_expect_success 'setup individual updates' ' | ||
93 | + rm -rf dst && | ||
94 | + git clone . dst && | ||
95 | + git -C dst submodule init | ||
96 | +' | ||
97 | + | ||
98 | +test_expect_success 'update of ssh allowed' ' | ||
99 | + git -C dst submodule update ssh-module | ||
100 | +' | ||
101 | + | ||
102 | +test_expect_success 'update of ext not allowed' ' | ||
103 | + test_must_fail git -C dst submodule update ext-module | ||
104 | +' | ||
105 | + | ||
106 | +test_expect_success 'user can override whitelist' ' | ||
107 | + GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module | ||
108 | +' | ||
109 | + | ||
110 | +test_done | ||
111 | -- | ||
112 | 2.3.5 | ||
113 | |||