1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch
new file mode 100644
index 0000000000..22292dbbbf
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch
@@ -0,0 +1,114 @@
+From 2e084e25fa454c58a600c9434f776f2150037a76 Mon Sep 17 00:00:00 2001
+From: Jonathan Nieder <jrnieder@gmail.com>
+Date: Sat, 18 Apr 2020 20:57:22 -0700
+Subject: [PATCH 12/12] fsck: reject URL with empty host in .gitmodules
+Git's URL parser interprets
+        https:///example.com/repo.git
+to have no host and a path of "example.com/repo.git".  Curl, on the
+other hand, internally redirects it to https://example.com/repo.git.  As
+a result, until "credential: parse URL without host as empty host, not
+unset", tricking a user into fetching from such a URL would cause Git to
+send credentials for another host to example.com.
+Teach fsck to block and detect .gitmodules files using such a URL to
+prevent sharing them with Git versions that are not yet protected.
+A relative URL in a .gitmodules file could also be used to trigger this.
+The relative URL resolver used for .gitmodules does not normalize
+sequences of slashes and can follow ".." components out of the path part
+and to the host part of a URL, meaning that such a relative URL can be
+used to traverse from a https://foo.example.com/innocent superproject to
+a https:///attacker.example.com/exploit submodule. Fortunately,
+redundant extra slashes in .gitmodules are rare, so we can catch this by
+detecting one after a leading sequence of "./" and "../" components.
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Reviewed-by: Jeff King <peff@peff.net>
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (9)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ fsck.c                        | 10 +++++++---
+ t/t7416-submodule-dash-url.sh | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+diff --git a/fsck.c b/fsck.c
+index 30eac29..00077b1 100644
+--- a/fsck.c
+++ b/fsck.c
+@@ -1070,17 +1070,21 @@ static int check_submodule_url(const char *url)
+                /*
+                 * URLs which escape their root via "../" can overwrite
+                 * the host field and previous components, resolving to
+-                * URLs like https::example.com/submodule.git that were
+                * URLs like https::example.com/submodule.git and
+                * https:///example.com/submodule.git that were
+                 * susceptible to CVE-2020-11008.
+                 */
+                if (count_leading_dotdots(url, &next) > 0 &&
+-                   *next == ':')
+                   (*next == ':' || *next == '/'))
+                        return -1;
+        }
+ 
+        else if (url_to_curl_url(url, &curl_url)) {
+                struct credential c = CREDENTIAL_INIT;
+-               int ret = credential_from_url_gently(&c, curl_url, 1);
+               int ret = 0;
+               if (credential_from_url_gently(&c, curl_url, 1) ||
+                   !*c.host)
+                       ret = -1;
+                credential_clear(&c);
+                return ret;
+        }
+diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
+index 9309040..eec96e0 100755
+--- a/t/t7416-submodule-dash-url.sh
+++ b/t/t7416-submodule-dash-url.sh
+@@ -124,6 +124,38 @@ test_expect_success 'fsck rejects relative URL resolving to empty scheme' '
+        grep gitmodulesUrl err
+ '
+ 
+test_expect_success 'fsck rejects empty hostname' '
+       git checkout --orphan empty-host &&
+       cat >.gitmodules <<-\EOF &&
+       [submodule "foo"]
+               url = http:///one.example.com/foo.git
+       EOF
+       git add .gitmodules &&
+       test_tick &&
+       git commit -m "gitmodules with extra slashes" &&
+       test_when_finished "rm -rf dst" &&
+       git init --bare dst &&
+       git -C dst config transfer.fsckObjects true &&
+       test_must_fail git push dst HEAD 2>err &&
+       grep gitmodulesUrl err
+'
+
+test_expect_success 'fsck rejects relative url that produced empty hostname' '
+       git checkout --orphan messy-relative &&
+       cat >.gitmodules <<-\EOF &&
+       [submodule "foo"]
+               url = ../../..//one.example.com/foo.git
+       EOF
+       git add .gitmodules &&
+       test_tick &&
+       git commit -m "gitmodules abusing relative_path" &&
+       test_when_finished "rm -rf dst" &&
+       git init --bare dst &&
+       git -C dst config transfer.fsckObjects true &&
+       test_must_fail git push dst HEAD 2>err &&
+       grep gitmodulesUrl err
+'
+
+ test_expect_success 'fsck permits embedded newline with unrecognized scheme' '
+        git checkout --orphan newscheme &&
+        cat >.gitmodules <<-\EOF &&
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch new file mode 100644 index 0000000000..22292dbbbf --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch
@@ -0,0 +1,114 @@
	1	From 2e084e25fa454c58a600c9434f776f2150037a76 Mon Sep 17 00:00:00 2001
	2	From: Jonathan Nieder <jrnieder@gmail.com>
	3	Date: Sat, 18 Apr 2020 20:57:22 -0700
	4	Subject: [PATCH 12/12] fsck: reject URL with empty host in .gitmodules
	5
	6	Git's URL parser interprets
	7
	8	https:///example.com/repo.git
	9
	10	to have no host and a path of "example.com/repo.git". Curl, on the
	11	other hand, internally redirects it to https://example.com/repo.git. As
	12	a result, until "credential: parse URL without host as empty host, not
	13	unset", tricking a user into fetching from such a URL would cause Git to
	14	send credentials for another host to example.com.
	15
	16	Teach fsck to block and detect .gitmodules files using such a URL to
	17	prevent sharing them with Git versions that are not yet protected.
	18
	19	A relative URL in a .gitmodules file could also be used to trigger this.
	20	The relative URL resolver used for .gitmodules does not normalize
	21	sequences of slashes and can follow ".." components out of the path part
	22	and to the host part of a URL, meaning that such a relative URL can be
	23	used to traverse from a https://foo.example.com/innocent superproject to
	24	a https:///attacker.example.com/exploit submodule. Fortunately,
	25	redundant extra slashes in .gitmodules are rare, so we can catch this by
	26	detecting one after a leading sequence of "./" and "../" components.
	27
	28	Helped-by: Jeff King <peff@peff.net>
	29	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	30	Reviewed-by: Jeff King <peff@peff.net>
	31
	32	Upstream-Status: Backport
	33	CVE: CVE-2020-11008 (9)
	34	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	35	---
	36	fsck.c \| 10 +++++++---
	37	t/t7416-submodule-dash-url.sh \| 32 ++++++++++++++++++++++++++++++++
	38	2 files changed, 39 insertions(+), 3 deletions(-)
	39
	40	diff --git a/fsck.c b/fsck.c
	41	index 30eac29..00077b1 100644
	42	--- a/fsck.c
	43	+++ b/fsck.c
	44	@@ -1070,17 +1070,21 @@ static int check_submodule_url(const char *url)
	45	/*
	46	* URLs which escape their root via "../" can overwrite
	47	* the host field and previous components, resolving to
	48	- * URLs like https::example.com/submodule.git that were
	49	+ * URLs like https::example.com/submodule.git and
	50	+ * https:///example.com/submodule.git that were
	51	* susceptible to CVE-2020-11008.
	52	*/
	53	if (count_leading_dotdots(url, &next) > 0 &&
	54	- *next == ':')
	55	+ (next == ':' \|\| next == '/'))
	56	return -1;
	57	}
	58
	59	else if (url_to_curl_url(url, &curl_url)) {
	60	struct credential c = CREDENTIAL_INIT;
	61	- int ret = credential_from_url_gently(&c, curl_url, 1);
	62	+ int ret = 0;
	63	+ if (credential_from_url_gently(&c, curl_url, 1) \|\|
	64	+ !*c.host)
	65	+ ret = -1;
	66	credential_clear(&c);
	67	return ret;
	68	}
	69	diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
	70	index 9309040..eec96e0 100755
	71	--- a/t/t7416-submodule-dash-url.sh
	72	+++ b/t/t7416-submodule-dash-url.sh
	73	@@ -124,6 +124,38 @@ test_expect_success 'fsck rejects relative URL resolving to empty scheme' '
	74	grep gitmodulesUrl err
	75	'
	76
	77	+test_expect_success 'fsck rejects empty hostname' '
	78	+ git checkout --orphan empty-host &&
	79	+ cat >.gitmodules <<-\EOF &&
	80	+ [submodule "foo"]
	81	+ url = http:///one.example.com/foo.git
	82	+ EOF
	83	+ git add .gitmodules &&
	84	+ test_tick &&
	85	+ git commit -m "gitmodules with extra slashes" &&
	86	+ test_when_finished "rm -rf dst" &&
	87	+ git init --bare dst &&
	88	+ git -C dst config transfer.fsckObjects true &&
	89	+ test_must_fail git push dst HEAD 2>err &&
	90	+ grep gitmodulesUrl err
	91	+'
	92	+
	93	+test_expect_success 'fsck rejects relative url that produced empty hostname' '
	94	+ git checkout --orphan messy-relative &&
	95	+ cat >.gitmodules <<-\EOF &&
	96	+ [submodule "foo"]
	97	+ url = ../../..//one.example.com/foo.git
	98	+ EOF
	99	+ git add .gitmodules &&
	100	+ test_tick &&
	101	+ git commit -m "gitmodules abusing relative_path" &&
	102	+ test_when_finished "rm -rf dst" &&
	103	+ git init --bare dst &&
	104	+ git -C dst config transfer.fsckObjects true &&
	105	+ test_must_fail git push dst HEAD 2>err &&
	106	+ grep gitmodulesUrl err
	107	+'
	108	+
	109	test_expect_success 'fsck permits embedded newline with unrecognized scheme' '
	110	git checkout --orphan newscheme &&
	111	cat >.gitmodules <<-\EOF &&
	112	--
	113	1.9.1
	114