1 files changed, 292 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
new file mode 100644
index 0000000000..c752e3d431
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
@@ -0,0 +1,292 @@
+From 5588659069214aa0f7fea75a69687078e2f7a817 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 18 Apr 2020 20:47:30 -0700
+Subject: [PATCH 05/12] t0300: use more realistic inputs
+Many of the tests in t0300 give partial inputs to git-credential,
+omitting a protocol or hostname. We're checking only high-level things
+like whether and how helpers are invoked at all, and we don't care about
+specific hosts. However, in preparation for tightening up the rules
+about when we're willing to run a helper, let's start using input that's
+a bit more realistic: pretend as if http://example.com is being
+examined.
+This shouldn't change the point of any of the tests, but do note we have
+to adjust the expected output to accommodate this (filling a credential
+will repeat back the protocol/host fields to stdout, and the helper
+debug messages and askpass prompt will change on stderr).
+Signed-off-by: Jeff King <peff@peff.net>
+Reviewed-by: Taylor Blau <me@ttaylorr.com>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (2)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ t/t0300-credentials.sh | 89 +++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 85 insertions(+), 4 deletions(-)
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 0206b3b..f4c5d7f 100755
+--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
+@@ -40,43 +40,71 @@ test_expect_success 'setup helper scripts' '
+ 
+ test_expect_success 'credential_fill invokes helper' '
+        check fill "verbatim foo bar" <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=foo
+        password=bar
+        --
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        EOF
+ '
+ 
+ test_expect_success 'credential_fill invokes multiple helpers' '
+        check fill useless "verbatim foo bar" <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=foo
+        password=bar
+        --
+        useless: get
+       useless: protocol=http
+       useless: host=example.com
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        EOF
+ '
+ 
+ test_expect_success 'credential_fill stops when we get a full response' '
+        check fill "verbatim one two" "verbatim three four" <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=one
+        password=two
+        --
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        EOF
+ '
+ 
+ test_expect_success 'credential_fill continues through partial response' '
+        check fill "verbatim one \"\"" "verbatim two three" <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=two
+        password=three
+        --
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        verbatim: username=one
+        EOF
+ '
+@@ -102,14 +130,20 @@ test_expect_success 'credential_fill passes along metadata' '
+ 
+ test_expect_success 'credential_approve calls all helpers' '
+        check approve useless "verbatim one two" <<-\EOF
+       protocol=http
+       host=example.com
+        username=foo
+        password=bar
+        --
+        --
+        useless: store
+       useless: protocol=http
+       useless: host=example.com
+        useless: username=foo
+        useless: password=bar
+        verbatim: store
+       verbatim: protocol=http
+       verbatim: host=example.com
+        verbatim: username=foo
+        verbatim: password=bar
+        EOF
+@@ -117,6 +151,8 @@ test_expect_success 'credential_approve calls all helpers' '
+ 
+ test_expect_success 'do not bother storing password-less credential' '
+        check approve useless <<-\EOF
+       protocol=http
+       host=example.com
+        username=foo
+        --
+        --
+@@ -126,14 +162,20 @@ test_expect_success 'do not bother storing password-less credential' '
+ 
+ test_expect_success 'credential_reject calls all helpers' '
+        check reject useless "verbatim one two" <<-\EOF
+       protocol=http
+       host=example.com
+        username=foo
+        password=bar
+        --
+        --
+        useless: erase
+       useless: protocol=http
+       useless: host=example.com
+        useless: username=foo
+        useless: password=bar
+        verbatim: erase
+       verbatim: protocol=http
+       verbatim: host=example.com
+        verbatim: username=foo
+        verbatim: password=bar
+        EOF
+@@ -141,33 +183,49 @@ test_expect_success 'credential_reject calls all helpers' '
+ 
+ test_expect_success 'usernames can be preserved' '
+        check fill "verbatim \"\" three" <<-\EOF
+       protocol=http
+       host=example.com
+        username=one
+        --
+       protocol=http
+       host=example.com
+        username=one
+        password=three
+        --
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        verbatim: username=one
+        EOF
+ '
+ 
+ test_expect_success 'usernames can be overridden' '
+        check fill "verbatim two three" <<-\EOF
+       protocol=http
+       host=example.com
+        username=one
+        --
+       protocol=http
+       host=example.com
+        username=two
+        password=three
+        --
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        verbatim: username=one
+        EOF
+ '
+ 
+ test_expect_success 'do not bother completing already-full credential' '
+        check fill "verbatim three four" <<-\EOF
+       protocol=http
+       host=example.com
+        username=one
+        password=two
+        --
+       protocol=http
+       host=example.com
+        username=one
+        password=two
+        --
+@@ -179,23 +237,31 @@ test_expect_success 'do not bother completing already-full credential' '
+ # askpass helper is run, we know the internal getpass is working.
+ test_expect_success 'empty helper list falls back to internal getpass' '
+        check fill <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=askpass-username
+        password=askpass-password
+        --
+-       askpass: Username:
+-       askpass: Password:
+       askpass: Username for '\''http://example.com'\'':
+       askpass: Password for '\''http://askpass-username@example.com'\'':
+        EOF
+ '
+ 
+ test_expect_success 'internal getpass does not ask for known username' '
+        check fill <<-\EOF
+       protocol=http
+       host=example.com
+        username=foo
+        --
+       protocol=http
+       host=example.com
+        username=foo
+        password=askpass-password
+        --
+-       askpass: Password:
+       askpass: Password for '\''http://foo@example.com'\'':
+        EOF
+ '
+ 
+@@ -207,7 +273,11 @@ HELPER="!f() {
+ test_expect_success 'respect configured credentials' '
+        test_config credential.helper "$HELPER" &&
+        check fill <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=foo
+        password=bar
+        --
+@@ -298,11 +368,16 @@ test_expect_success 'helpers can abort the process' '
+        test_must_fail git \
+                -c credential.helper=quit \
+                -c credential.helper="verbatim foo bar" \
+-               credential fill >stdout 2>stderr &&
+               credential fill >stdout 2>stderr <<-\EOF &&
+       protocol=http
+       host=example.com
+       EOF
+        >expect &&
+        test_cmp expect stdout &&
+        cat >expect <<-\EOF &&
+        quit: get
+       quit: protocol=http
+       quit: host=example.com
+        fatal: credential helper '\''quit'\'' told us to quit
+        EOF
+        test_i18ncmp expect stderr
+@@ -311,11 +386,17 @@ test_expect_success 'helpers can abort the process' '
+ test_expect_success 'empty helper spec resets helper list' '
+        test_config credential.helper "verbatim file file" &&
+        check fill "" "verbatim cmdline cmdline" <<-\EOF
+       protocol=http
+       host=example.com
+        --
+       protocol=http
+       host=example.com
+        username=cmdline
+        password=cmdline
+        --
+        verbatim: get
+       verbatim: protocol=http
+       verbatim: host=example.com
+        EOF
+ '
+ 
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch new file mode 100644 index 0000000000..c752e3d431 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
@@ -0,0 +1,292 @@
	1	From 5588659069214aa0f7fea75a69687078e2f7a817 Mon Sep 17 00:00:00 2001
	2	From: Jeff King <peff@peff.net>
	3	Date: Sat, 18 Apr 2020 20:47:30 -0700
	4	Subject: [PATCH 05/12] t0300: use more realistic inputs
	5
	6	Many of the tests in t0300 give partial inputs to git-credential,
	7	omitting a protocol or hostname. We're checking only high-level things
	8	like whether and how helpers are invoked at all, and we don't care about
	9	specific hosts. However, in preparation for tightening up the rules
	10	about when we're willing to run a helper, let's start using input that's
	11	a bit more realistic: pretend as if http://example.com is being
	12	examined.
	13
	14	This shouldn't change the point of any of the tests, but do note we have
	15	to adjust the expected output to accommodate this (filling a credential
	16	will repeat back the protocol/host fields to stdout, and the helper
	17	debug messages and askpass prompt will change on stderr).
	18
	19	Signed-off-by: Jeff King <peff@peff.net>
	20	Reviewed-by: Taylor Blau <me@ttaylorr.com>
	21	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	22
	23	Upstream-Status: Backport
	24	CVE: CVE-2020-11008 (2)
	25	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	26	---
	27	t/t0300-credentials.sh \| 89 +++++++++++++++++++++++++++++++++++++++++++++++---
	28	1 file changed, 85 insertions(+), 4 deletions(-)
	29
	30	diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
	31	index 0206b3b..f4c5d7f 100755
	32	--- a/t/t0300-credentials.sh
	33	+++ b/t/t0300-credentials.sh
	34	@@ -40,43 +40,71 @@ test_expect_success 'setup helper scripts' '
	35
	36	test_expect_success 'credential_fill invokes helper' '
	37	check fill "verbatim foo bar" <<-\EOF
	38	+ protocol=http
	39	+ host=example.com
	40	--
	41	+ protocol=http
	42	+ host=example.com
	43	username=foo
	44	password=bar
	45	--
	46	verbatim: get
	47	+ verbatim: protocol=http
	48	+ verbatim: host=example.com
	49	EOF
	50	'
	51
	52	test_expect_success 'credential_fill invokes multiple helpers' '
	53	check fill useless "verbatim foo bar" <<-\EOF
	54	+ protocol=http
	55	+ host=example.com
	56	--
	57	+ protocol=http
	58	+ host=example.com
	59	username=foo
	60	password=bar
	61	--
	62	useless: get
	63	+ useless: protocol=http
	64	+ useless: host=example.com
	65	verbatim: get
	66	+ verbatim: protocol=http
	67	+ verbatim: host=example.com
	68	EOF
	69	'
	70
	71	test_expect_success 'credential_fill stops when we get a full response' '
	72	check fill "verbatim one two" "verbatim three four" <<-\EOF
	73	+ protocol=http
	74	+ host=example.com
	75	--
	76	+ protocol=http
	77	+ host=example.com
	78	username=one
	79	password=two
	80	--
	81	verbatim: get
	82	+ verbatim: protocol=http
	83	+ verbatim: host=example.com
	84	EOF
	85	'
	86
	87	test_expect_success 'credential_fill continues through partial response' '
	88	check fill "verbatim one \"\"" "verbatim two three" <<-\EOF
	89	+ protocol=http
	90	+ host=example.com
	91	--
	92	+ protocol=http
	93	+ host=example.com
	94	username=two
	95	password=three
	96	--
	97	verbatim: get
	98	+ verbatim: protocol=http
	99	+ verbatim: host=example.com
	100	verbatim: get
	101	+ verbatim: protocol=http
	102	+ verbatim: host=example.com
	103	verbatim: username=one
	104	EOF
	105	'
	106	@@ -102,14 +130,20 @@ test_expect_success 'credential_fill passes along metadata' '
	107
	108	test_expect_success 'credential_approve calls all helpers' '
	109	check approve useless "verbatim one two" <<-\EOF
	110	+ protocol=http
	111	+ host=example.com
	112	username=foo
	113	password=bar
	114	--
	115	--
	116	useless: store
	117	+ useless: protocol=http
	118	+ useless: host=example.com
	119	useless: username=foo
	120	useless: password=bar
	121	verbatim: store
	122	+ verbatim: protocol=http
	123	+ verbatim: host=example.com
	124	verbatim: username=foo
	125	verbatim: password=bar
	126	EOF
	127	@@ -117,6 +151,8 @@ test_expect_success 'credential_approve calls all helpers' '
	128
	129	test_expect_success 'do not bother storing password-less credential' '
	130	check approve useless <<-\EOF
	131	+ protocol=http
	132	+ host=example.com
	133	username=foo
	134	--
	135	--
	136	@@ -126,14 +162,20 @@ test_expect_success 'do not bother storing password-less credential' '
	137
	138	test_expect_success 'credential_reject calls all helpers' '
	139	check reject useless "verbatim one two" <<-\EOF
	140	+ protocol=http
	141	+ host=example.com
	142	username=foo
	143	password=bar
	144	--
	145	--
	146	useless: erase
	147	+ useless: protocol=http
	148	+ useless: host=example.com
	149	useless: username=foo
	150	useless: password=bar
	151	verbatim: erase
	152	+ verbatim: protocol=http
	153	+ verbatim: host=example.com
	154	verbatim: username=foo
	155	verbatim: password=bar
	156	EOF
	157	@@ -141,33 +183,49 @@ test_expect_success 'credential_reject calls all helpers' '
	158
	159	test_expect_success 'usernames can be preserved' '
	160	check fill "verbatim \"\" three" <<-\EOF
	161	+ protocol=http
	162	+ host=example.com
	163	username=one
	164	--
	165	+ protocol=http
	166	+ host=example.com
	167	username=one
	168	password=three
	169	--
	170	verbatim: get
	171	+ verbatim: protocol=http
	172	+ verbatim: host=example.com
	173	verbatim: username=one
	174	EOF
	175	'
	176
	177	test_expect_success 'usernames can be overridden' '
	178	check fill "verbatim two three" <<-\EOF
	179	+ protocol=http
	180	+ host=example.com
	181	username=one
	182	--
	183	+ protocol=http
	184	+ host=example.com
	185	username=two
	186	password=three
	187	--
	188	verbatim: get
	189	+ verbatim: protocol=http
	190	+ verbatim: host=example.com
	191	verbatim: username=one
	192	EOF
	193	'
	194
	195	test_expect_success 'do not bother completing already-full credential' '
	196	check fill "verbatim three four" <<-\EOF
	197	+ protocol=http
	198	+ host=example.com
	199	username=one
	200	password=two
	201	--
	202	+ protocol=http
	203	+ host=example.com
	204	username=one
	205	password=two
	206	--
	207	@@ -179,23 +237,31 @@ test_expect_success 'do not bother completing already-full credential' '
	208	# askpass helper is run, we know the internal getpass is working.
	209	test_expect_success 'empty helper list falls back to internal getpass' '
	210	check fill <<-\EOF
	211	+ protocol=http
	212	+ host=example.com
	213	--
	214	+ protocol=http
	215	+ host=example.com
	216	username=askpass-username
	217	password=askpass-password
	218	--
	219	- askpass: Username:
	220	- askpass: Password:
	221	+ askpass: Username for '\''http://example.com'\'':
	222	+ askpass: Password for '\''http://askpass-username@example.com'\'':
	223	EOF
	224	'
	225
	226	test_expect_success 'internal getpass does not ask for known username' '
	227	check fill <<-\EOF
	228	+ protocol=http
	229	+ host=example.com
	230	username=foo
	231	--
	232	+ protocol=http
	233	+ host=example.com
	234	username=foo
	235	password=askpass-password
	236	--
	237	- askpass: Password:
	238	+ askpass: Password for '\''http://foo@example.com'\'':
	239	EOF
	240	'
	241
	242	@@ -207,7 +273,11 @@ HELPER="!f() {
	243	test_expect_success 'respect configured credentials' '
	244	test_config credential.helper "$HELPER" &&
	245	check fill <<-\EOF
	246	+ protocol=http
	247	+ host=example.com
	248	--
	249	+ protocol=http
	250	+ host=example.com
	251	username=foo
	252	password=bar
	253	--
	254	@@ -298,11 +368,16 @@ test_expect_success 'helpers can abort the process' '
	255	test_must_fail git \
	256	-c credential.helper=quit \
	257	-c credential.helper="verbatim foo bar" \
	258	- credential fill >stdout 2>stderr &&
	259	+ credential fill >stdout 2>stderr <<-\EOF &&
	260	+ protocol=http
	261	+ host=example.com
	262	+ EOF
	263	>expect &&
	264	test_cmp expect stdout &&
	265	cat >expect <<-\EOF &&
	266	quit: get
	267	+ quit: protocol=http
	268	+ quit: host=example.com
	269	fatal: credential helper '\''quit'\'' told us to quit
	270	EOF
	271	test_i18ncmp expect stderr
	272	@@ -311,11 +386,17 @@ test_expect_success 'helpers can abort the process' '
	273	test_expect_success 'empty helper spec resets helper list' '
	274	test_config credential.helper "verbatim file file" &&
	275	check fill "" "verbatim cmdline cmdline" <<-\EOF
	276	+ protocol=http
	277	+ host=example.com
	278	--
	279	+ protocol=http
	280	+ host=example.com
	281	username=cmdline
	282	password=cmdline
	283	--
	284	verbatim: get
	285	+ verbatim: protocol=http
	286	+ verbatim: host=example.com
	287	EOF
	288	'
	289
	290	--
	291	1.9.1
	292