1 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
new file mode 100644
index 0000000000..623da07460
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
@@ -0,0 +1,110 @@
+From 5088d3b38775f8ac12d7f77636775b16059b67ef Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Tue, 22 Sep 2015 18:03:49 -0400
+Subject: [PATCH] transport: refactor protocol whitelist code
+The current callers only want to die when their transport is
+prohibited. But future callers want to query the mechanism
+without dying.
+Let's break out a few query functions, and also save the
+results in a static list so we don't have to re-parse for
+each query.
+Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport
+https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
+CVE: CVE-2015-7545 patch #1 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ transport.c | 38 ++++++++++++++++++++++++++++++--------
+ transport.h | 15 +++++++++++++--
+ 2 files changed, 43 insertions(+), 10 deletions(-)
+Index: git-2.3.0/transport.c
+===================================================================
+--- git-2.3.0.orig/transport.c
+++ git-2.3.0/transport.c
+@@ -907,18 +907,40 @@ static int external_specification_len(co
+        return strchr(url, ':') - url;
+ }
+ 
+-void transport_check_allowed(const char *type)
+static const struct string_list *protocol_whitelist(void)
+ {
+-       struct string_list allowed = STRING_LIST_INIT_DUP;
+-       const char *v = getenv("GIT_ALLOW_PROTOCOL");
+       static int enabled = -1;
+       static struct string_list allowed = STRING_LIST_INIT_DUP;
+
+       if (enabled < 0) {
+               const char *v = getenv("GIT_ALLOW_PROTOCOL");
+               if (v) {
+                       string_list_split(&allowed, v, ':', -1);
+                       string_list_sort(&allowed);
+                       enabled = 1;
+               } else {
+                       enabled = 0;
+               }
+       }
+
+       return enabled ? &allowed : NULL;
+}
+ 
+-       if (!v)
+-               return;
+int is_transport_allowed(const char *type)
+{
+       const struct string_list *allowed = protocol_whitelist();
+       return !allowed || string_list_has_string(allowed, type);
+}
+ 
+-       string_list_split(&allowed, v, ':', -1);
+-       if (!unsorted_string_list_has_string(&allowed, type))
+void transport_check_allowed(const char *type)
+{
+       if (!is_transport_allowed(type))
+                die("transport '%s' not allowed", type);
+-       string_list_clear(&allowed, 0);
+}
+
+int transport_restrict_protocols(void)
+{
+       return !!protocol_whitelist();
+ }
+ 
+ struct transport *transport_get(struct remote *remote, const char *url)
+Index: git-2.3.0/transport.h
+===================================================================
+--- git-2.3.0.orig/transport.h
+++ git-2.3.0/transport.h
+@@ -133,12 +133,23 @@ struct transport {
+ struct transport *transport_get(struct remote *, const char *);
+ 
+ /*
+ * Check whether a transport is allowed by the environment. Type should
+ * generally be the URL scheme, as described in Documentation/git.txt
+ */
+int is_transport_allowed(const char *type);
+
+/*
+  * Check whether a transport is allowed by the environment,
+- * and die otherwise. type should generally be the URL scheme,
+- * as described in Documentation/git.txt
+ * and die otherwise.
+  */
+ void transport_check_allowed(const char *type);
+ 
+/*
+ * Returns true if the user has attempted to turn on protocol
+ * restrictions at all.
+ */
+int transport_restrict_protocols(void);
+
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */

diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch new file mode 100644 index 0000000000..623da07460 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
@@ -0,0 +1,110 @@
	1	From 5088d3b38775f8ac12d7f77636775b16059b67ef Mon Sep 17 00:00:00 2001
	2	From: Jeff King <peff@peff.net>
	3	Date: Tue, 22 Sep 2015 18:03:49 -0400
	4	Subject: [PATCH] transport: refactor protocol whitelist code
	5
	6	The current callers only want to die when their transport is
	7	prohibited. But future callers want to query the mechanism
	8	without dying.
	9
	10	Let's break out a few query functions, and also save the
	11	results in a static list so we don't have to re-parse for
	12	each query.
	13
	14	Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com>
	15	Signed-off-by: Jeff King <peff@peff.net>
	16	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	17
	18	Upstream-Status: Backport
	19	https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
	20	CVE: CVE-2015-7545 patch #1
	21	Signed-off-by: Armin Kuster <akuster@mvista.com>
	22
	23	---
	24	transport.c \| 38 ++++++++++++++++++++++++++++++--------
	25	transport.h \| 15 +++++++++++++--
	26	2 files changed, 43 insertions(+), 10 deletions(-)
	27
	28	Index: git-2.3.0/transport.c
	29	===================================================================
	30	--- git-2.3.0.orig/transport.c
	31	+++ git-2.3.0/transport.c
	32	@@ -907,18 +907,40 @@ static int external_specification_len(co
	33	return strchr(url, ':') - url;
	34	}
	35
	36	-void transport_check_allowed(const char *type)
	37	+static const struct string_list *protocol_whitelist(void)
	38	{
	39	- struct string_list allowed = STRING_LIST_INIT_DUP;
	40	- const char *v = getenv("GIT_ALLOW_PROTOCOL");
	41	+ static int enabled = -1;
	42	+ static struct string_list allowed = STRING_LIST_INIT_DUP;
	43	+
	44	+ if (enabled < 0) {
	45	+ const char *v = getenv("GIT_ALLOW_PROTOCOL");
	46	+ if (v) {
	47	+ string_list_split(&allowed, v, ':', -1);
	48	+ string_list_sort(&allowed);
	49	+ enabled = 1;
	50	+ } else {
	51	+ enabled = 0;
	52	+ }
	53	+ }
	54	+
	55	+ return enabled ? &allowed : NULL;
	56	+}
	57
	58	- if (!v)
	59	- return;
	60	+int is_transport_allowed(const char *type)
	61	+{
	62	+ const struct string_list *allowed = protocol_whitelist();
	63	+ return !allowed \|\| string_list_has_string(allowed, type);
	64	+}
	65
	66	- string_list_split(&allowed, v, ':', -1);
	67	- if (!unsorted_string_list_has_string(&allowed, type))
	68	+void transport_check_allowed(const char *type)
	69	+{
	70	+ if (!is_transport_allowed(type))
	71	die("transport '%s' not allowed", type);
	72	- string_list_clear(&allowed, 0);
	73	+}
	74	+
	75	+int transport_restrict_protocols(void)
	76	+{
	77	+ return !!protocol_whitelist();
	78	}
	79
	80	struct transport transport_get(struct remote remote, const char *url)
	81	Index: git-2.3.0/transport.h
	82	===================================================================
	83	--- git-2.3.0.orig/transport.h
	84	+++ git-2.3.0/transport.h
	85	@@ -133,12 +133,23 @@ struct transport {
	86	struct transport transport_get(struct remote , const char *);
	87
	88	/*
	89	+ * Check whether a transport is allowed by the environment. Type should
	90	+ * generally be the URL scheme, as described in Documentation/git.txt
	91	+ */
	92	+int is_transport_allowed(const char *type);
	93	+
	94	+/*
	95	* Check whether a transport is allowed by the environment,
	96	- * and die otherwise. type should generally be the URL scheme,
	97	- * as described in Documentation/git.txt
	98	+ * and die otherwise.
	99	*/
	100	void transport_check_allowed(const char *type);
	101
	102	+/*
	103	+ * Returns true if the user has attempted to turn on protocol
	104	+ * restrictions at all.
	105	+ */
	106	+int transport_restrict_protocols(void);
	107	+
	108	/* Transport options which apply to git:// and scp-style URLs */
	109
	110	/* The program to use on the remote side to send a pack */