diff options
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-9.patch')
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-11008-9.patch | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch new file mode 100644 index 0000000000..22292dbbbf --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | From 2e084e25fa454c58a600c9434f776f2150037a76 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jonathan Nieder <jrnieder@gmail.com> | ||
3 | Date: Sat, 18 Apr 2020 20:57:22 -0700 | ||
4 | Subject: [PATCH 12/12] fsck: reject URL with empty host in .gitmodules | ||
5 | |||
6 | Git's URL parser interprets | ||
7 | |||
8 | https:///example.com/repo.git | ||
9 | |||
10 | to have no host and a path of "example.com/repo.git". Curl, on the | ||
11 | other hand, internally redirects it to https://example.com/repo.git. As | ||
12 | a result, until "credential: parse URL without host as empty host, not | ||
13 | unset", tricking a user into fetching from such a URL would cause Git to | ||
14 | send credentials for another host to example.com. | ||
15 | |||
16 | Teach fsck to block and detect .gitmodules files using such a URL to | ||
17 | prevent sharing them with Git versions that are not yet protected. | ||
18 | |||
19 | A relative URL in a .gitmodules file could also be used to trigger this. | ||
20 | The relative URL resolver used for .gitmodules does not normalize | ||
21 | sequences of slashes and can follow ".." components out of the path part | ||
22 | and to the host part of a URL, meaning that such a relative URL can be | ||
23 | used to traverse from a https://foo.example.com/innocent superproject to | ||
24 | a https:///attacker.example.com/exploit submodule. Fortunately, | ||
25 | redundant extra slashes in .gitmodules are rare, so we can catch this by | ||
26 | detecting one after a leading sequence of "./" and "../" components. | ||
27 | |||
28 | Helped-by: Jeff King <peff@peff.net> | ||
29 | Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> | ||
30 | Reviewed-by: Jeff King <peff@peff.net> | ||
31 | |||
32 | Upstream-Status: Backport | ||
33 | CVE: CVE-2020-11008 (9) | ||
34 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
35 | --- | ||
36 | fsck.c | 10 +++++++--- | ||
37 | t/t7416-submodule-dash-url.sh | 32 ++++++++++++++++++++++++++++++++ | ||
38 | 2 files changed, 39 insertions(+), 3 deletions(-) | ||
39 | |||
40 | diff --git a/fsck.c b/fsck.c | ||
41 | index 30eac29..00077b1 100644 | ||
42 | --- a/fsck.c | ||
43 | +++ b/fsck.c | ||
44 | @@ -1070,17 +1070,21 @@ static int check_submodule_url(const char *url) | ||
45 | /* | ||
46 | * URLs which escape their root via "../" can overwrite | ||
47 | * the host field and previous components, resolving to | ||
48 | - * URLs like https::example.com/submodule.git that were | ||
49 | + * URLs like https::example.com/submodule.git and | ||
50 | + * https:///example.com/submodule.git that were | ||
51 | * susceptible to CVE-2020-11008. | ||
52 | */ | ||
53 | if (count_leading_dotdots(url, &next) > 0 && | ||
54 | - *next == ':') | ||
55 | + (*next == ':' || *next == '/')) | ||
56 | return -1; | ||
57 | } | ||
58 | |||
59 | else if (url_to_curl_url(url, &curl_url)) { | ||
60 | struct credential c = CREDENTIAL_INIT; | ||
61 | - int ret = credential_from_url_gently(&c, curl_url, 1); | ||
62 | + int ret = 0; | ||
63 | + if (credential_from_url_gently(&c, curl_url, 1) || | ||
64 | + !*c.host) | ||
65 | + ret = -1; | ||
66 | credential_clear(&c); | ||
67 | return ret; | ||
68 | } | ||
69 | diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh | ||
70 | index 9309040..eec96e0 100755 | ||
71 | --- a/t/t7416-submodule-dash-url.sh | ||
72 | +++ b/t/t7416-submodule-dash-url.sh | ||
73 | @@ -124,6 +124,38 @@ test_expect_success 'fsck rejects relative URL resolving to empty scheme' ' | ||
74 | grep gitmodulesUrl err | ||
75 | ' | ||
76 | |||
77 | +test_expect_success 'fsck rejects empty hostname' ' | ||
78 | + git checkout --orphan empty-host && | ||
79 | + cat >.gitmodules <<-\EOF && | ||
80 | + [submodule "foo"] | ||
81 | + url = http:///one.example.com/foo.git | ||
82 | + EOF | ||
83 | + git add .gitmodules && | ||
84 | + test_tick && | ||
85 | + git commit -m "gitmodules with extra slashes" && | ||
86 | + test_when_finished "rm -rf dst" && | ||
87 | + git init --bare dst && | ||
88 | + git -C dst config transfer.fsckObjects true && | ||
89 | + test_must_fail git push dst HEAD 2>err && | ||
90 | + grep gitmodulesUrl err | ||
91 | +' | ||
92 | + | ||
93 | +test_expect_success 'fsck rejects relative url that produced empty hostname' ' | ||
94 | + git checkout --orphan messy-relative && | ||
95 | + cat >.gitmodules <<-\EOF && | ||
96 | + [submodule "foo"] | ||
97 | + url = ../../..//one.example.com/foo.git | ||
98 | + EOF | ||
99 | + git add .gitmodules && | ||
100 | + test_tick && | ||
101 | + git commit -m "gitmodules abusing relative_path" && | ||
102 | + test_when_finished "rm -rf dst" && | ||
103 | + git init --bare dst && | ||
104 | + git -C dst config transfer.fsckObjects true && | ||
105 | + test_must_fail git push dst HEAD 2>err && | ||
106 | + grep gitmodulesUrl err | ||
107 | +' | ||
108 | + | ||
109 | test_expect_success 'fsck permits embedded newline with unrecognized scheme' ' | ||
110 | git checkout --orphan newscheme && | ||
111 | cat >.gitmodules <<-\EOF && | ||
112 | -- | ||
113 | 1.9.1 | ||
114 | |||