1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
new file mode 100644
index 0000000000..9cf98ea7b4
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
@@ -0,0 +1,70 @@
+From 863f8067d8b4012904ca3bb881c659ac9894df97 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 27 Apr 2020 14:36:03 +0800
+Subject: [PATCH 04/12] t0300: make "quit" helper more realistic
+We test a toy credential helper that writes "quit=1" and confirms that
+we stop running other helpers. However, that helper is unrealistic in
+that it does not bother to read its stdin at all.
+For now we don't send any input to it, because we feed git-credential a
+blank credential. But that will change in the next patch, which will
+cause this test to racily fail, as git-credential will get SIGPIPE
+writing to the helper rather than exiting because it was asked to.
+Let's make this one-off helper more like our other sample helpers, and
+have it source the "dump" script. That will read stdin, fixing the
+SIGPIPE problem. But it will also write what it sees to stderr. We can
+make the test more robust by checking that output, which confirms that
+we do run the quit helper, don't run any other helpers, and exit for the
+reason we expected.
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (1)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ t/t0300-credentials.sh | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index b9c0f1f..0206b3b 100755
+--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
+@@ -22,6 +22,11 @@ test_expect_success 'setup helper scripts' '
+        exit 0
+        EOF
+ 
+       write_script git-credential-quit <<-\EOF &&
+       . ./dump
+       echo quit=1
+       EOF
+
+        write_script git-credential-verbatim <<-\EOF &&
+        user=$1; shift
+        pass=$1; shift
+@@ -291,10 +296,16 @@ test_expect_success 'http paths can be part of context' '
+ 
+ test_expect_success 'helpers can abort the process' '
+        test_must_fail git \
+-               -c credential.helper="!f() { echo quit=1; }; f" \
+               -c credential.helper=quit \
+                -c credential.helper="verbatim foo bar" \
+-               credential fill >stdout &&
+-       test_must_be_empty stdout
+               credential fill >stdout 2>stderr &&
+       >expect &&
+       test_cmp expect stdout &&
+       cat >expect <<-\EOF &&
+       quit: get
+       fatal: credential helper '\''quit'\'' told us to quit
+       EOF
+       test_i18ncmp expect stderr
+ '
+ 
+ test_expect_success 'empty helper spec resets helper list' '
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch new file mode 100644 index 0000000000..9cf98ea7b4 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
@@ -0,0 +1,70 @@
	1	From 863f8067d8b4012904ca3bb881c659ac9894df97 Mon Sep 17 00:00:00 2001
	2	From: Li Zhou <li.zhou@windriver.com>
	3	Date: Mon, 27 Apr 2020 14:36:03 +0800
	4	Subject: [PATCH 04/12] t0300: make "quit" helper more realistic
	5
	6	We test a toy credential helper that writes "quit=1" and confirms that
	7	we stop running other helpers. However, that helper is unrealistic in
	8	that it does not bother to read its stdin at all.
	9
	10	For now we don't send any input to it, because we feed git-credential a
	11	blank credential. But that will change in the next patch, which will
	12	cause this test to racily fail, as git-credential will get SIGPIPE
	13	writing to the helper rather than exiting because it was asked to.
	14
	15	Let's make this one-off helper more like our other sample helpers, and
	16	have it source the "dump" script. That will read stdin, fixing the
	17	SIGPIPE problem. But it will also write what it sees to stderr. We can
	18	make the test more robust by checking that output, which confirms that
	19	we do run the quit helper, don't run any other helpers, and exit for the
	20	reason we expected.
	21
	22	Signed-off-by: Jeff King <peff@peff.net>
	23	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	24
	25	Upstream-Status: Backport
	26	CVE: CVE-2020-11008 (1)
	27	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	28	---
	29	t/t0300-credentials.sh \| 17 ++++++++++++++---
	30	1 file changed, 14 insertions(+), 3 deletions(-)
	31
	32	diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
	33	index b9c0f1f..0206b3b 100755
	34	--- a/t/t0300-credentials.sh
	35	+++ b/t/t0300-credentials.sh
	36	@@ -22,6 +22,11 @@ test_expect_success 'setup helper scripts' '
	37	exit 0
	38	EOF
	39
	40	+ write_script git-credential-quit <<-\EOF &&
	41	+ . ./dump
	42	+ echo quit=1
	43	+ EOF
	44	+
	45	write_script git-credential-verbatim <<-\EOF &&
	46	user=$1; shift
	47	pass=$1; shift
	48	@@ -291,10 +296,16 @@ test_expect_success 'http paths can be part of context' '
	49
	50	test_expect_success 'helpers can abort the process' '
	51	test_must_fail git \
	52	- -c credential.helper="!f() { echo quit=1; }; f" \
	53	+ -c credential.helper=quit \
	54	-c credential.helper="verbatim foo bar" \
	55	- credential fill >stdout &&
	56	- test_must_be_empty stdout
	57	+ credential fill >stdout 2>stderr &&
	58	+ >expect &&
	59	+ test_cmp expect stdout &&
	60	+ cat >expect <<-\EOF &&
	61	+ quit: get
	62	+ fatal: credential helper '\''quit'\'' told us to quit
	63	+ EOF
	64	+ test_i18ncmp expect stderr
	65	'
	66
	67	test_expect_success 'empty helper spec resets helper list' '
	68	--
	69	1.9.1
	70