1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
new file mode 100644
index 0000000000..6b36893030
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
@@ -0,0 +1,84 @@
+From 883508bcebe87fbe7fb7392272e930c27c30fdc2 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 18 Apr 2020 20:53:09 -0700
+Subject: [PATCH 09/12] credential: die() when parsing invalid urls
+When we try to initialize credential loading by URL and find that the
+URL is invalid, we set all fields to NULL in order to avoid acting on
+malicious input. Later when we request credentials, we diagonse the
+erroneous input:
+        fatal: refusing to work with credential missing host field
+This is problematic in two ways:
+- The message doesn't tell the user *why* we are missing the host
+  field, so they can't tell from this message alone how to recover.
+  There can be intervening messages after the original warning of
+  bad input, so the user may not have the context to put two and two
+  together.
+- The error only occurs when we actually need to get a credential.  If
+  the URL permits anonymous access, the only encouragement the user gets
+  to correct their bogus URL is a quiet warning.
+  This is inconsistent with the check we perform in fsck, where any use
+  of such a URL as a submodule is an error.
+When we see such a bogus URL, let's not try to be nice and continue
+without helpers. Instead, die() immediately. This is simpler and
+obviously safe. And there's very little chance of disrupting a normal
+workflow.
+It's _possible_ that somebody has a legitimate URL with a raw newline in
+it. It already wouldn't work with credential helpers, so this patch
+steps that up from an inconvenience to "we will refuse to work with it
+at all". If such a case does exist, we should figure out a way to work
+with it (especially if the newline is only in the path component, which
+we normally don't even pass to helpers). But until we see a real report,
+we're better off being defensive.
+Reported-by: Carlo Arenas <carenas@gmail.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (6)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c           | 6 ++----
+ t/t0300-credentials.sh | 3 +--
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+diff --git a/credential.c b/credential.c
+index e08ed84..22649d5 100644
+--- a/credential.c
+++ b/credential.c
+@@ -408,8 +408,6 @@ int credential_from_url_gently(struct credential *c, const char *url,
+ 
+ void credential_from_url(struct credential *c, const char *url)
+ {
+-       if (credential_from_url_gently(c, url, 0) < 0) {
+-               warning(_("skipping credential lookup for url: %s"), url);
+-               credential_clear(c);
+-       }
+       if (credential_from_url_gently(c, url, 0) < 0)
+               die(_("credential url cannot be parsed: %s"), url);
+ }
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 646f845..efed3ea 100755
+--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
+@@ -406,8 +406,7 @@ test_expect_success 'url parser rejects embedded newlines' '
+        EOF
+        cat >expect <<-\EOF &&
+        warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
+-       warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
+-       fatal: refusing to work with credential missing host field
+       fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/
+        EOF
+        test_i18ncmp expect stderr
+ '
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch new file mode 100644 index 0000000000..6b36893030 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
@@ -0,0 +1,84 @@
	1	From 883508bcebe87fbe7fb7392272e930c27c30fdc2 Mon Sep 17 00:00:00 2001
	2	From: Jeff King <peff@peff.net>
	3	Date: Sat, 18 Apr 2020 20:53:09 -0700
	4	Subject: [PATCH 09/12] credential: die() when parsing invalid urls
	5
	6	When we try to initialize credential loading by URL and find that the
	7	URL is invalid, we set all fields to NULL in order to avoid acting on
	8	malicious input. Later when we request credentials, we diagonse the
	9	erroneous input:
	10
	11	fatal: refusing to work with credential missing host field
	12
	13	This is problematic in two ways:
	14
	15	- The message doesn't tell the user why we are missing the host
	16	field, so they can't tell from this message alone how to recover.
	17	There can be intervening messages after the original warning of
	18	bad input, so the user may not have the context to put two and two
	19	together.
	20
	21	- The error only occurs when we actually need to get a credential. If
	22	the URL permits anonymous access, the only encouragement the user gets
	23	to correct their bogus URL is a quiet warning.
	24
	25	This is inconsistent with the check we perform in fsck, where any use
	26	of such a URL as a submodule is an error.
	27
	28	When we see such a bogus URL, let's not try to be nice and continue
	29	without helpers. Instead, die() immediately. This is simpler and
	30	obviously safe. And there's very little chance of disrupting a normal
	31	workflow.
	32
	33	It's _possible_ that somebody has a legitimate URL with a raw newline in
	34	it. It already wouldn't work with credential helpers, so this patch
	35	steps that up from an inconvenience to "we will refuse to work with it
	36	at all". If such a case does exist, we should figure out a way to work
	37	with it (especially if the newline is only in the path component, which
	38	we normally don't even pass to helpers). But until we see a real report,
	39	we're better off being defensive.
	40
	41	Reported-by: Carlo Arenas <carenas@gmail.com>
	42	Signed-off-by: Jeff King <peff@peff.net>
	43	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	44
	45	Upstream-Status: Backport
	46	CVE: CVE-2020-11008 (6)
	47	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	48	---
	49	credential.c \| 6 ++----
	50	t/t0300-credentials.sh \| 3 +--
	51	2 files changed, 3 insertions(+), 6 deletions(-)
	52
	53	diff --git a/credential.c b/credential.c
	54	index e08ed84..22649d5 100644
	55	--- a/credential.c
	56	+++ b/credential.c
	57	@@ -408,8 +408,6 @@ int credential_from_url_gently(struct credential c, const char url,
	58
	59	void credential_from_url(struct credential c, const char url)
	60	{
	61	- if (credential_from_url_gently(c, url, 0) < 0) {
	62	- warning(_("skipping credential lookup for url: %s"), url);
	63	- credential_clear(c);
	64	- }
	65	+ if (credential_from_url_gently(c, url, 0) < 0)
	66	+ die(_("credential url cannot be parsed: %s"), url);
	67	}
	68	diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
	69	index 646f845..efed3ea 100755
	70	--- a/t/t0300-credentials.sh
	71	+++ b/t/t0300-credentials.sh
	72	@@ -406,8 +406,7 @@ test_expect_success 'url parser rejects embedded newlines' '
	73	EOF
	74	cat >expect <<-\EOF &&
	75	warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
	76	- warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
	77	- fatal: refusing to work with credential missing host field
	78	+ fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/
	79	EOF
	80	test_i18ncmp expect stderr
	81	'
	82	--
	83	1.9.1
	84