From f98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Tue, 23 Feb 2016 17:38:25 -0800 Subject: git: Security fixes CVE-2015-7545 CVE-2015-7545 git: arbitrary code execution via crafted URLs (From OE-Core rev: 0c4bdd61acbc1fa1b9bfb167d8eaf90c8bccc25c) Signed-off-by: Armin Kuster Already in Jethro, not needed in master due to shipping a version of git which is already fixes (> 2.6.1) Signed-off-by: Joshua Lock Signed-off-by: Richard Purdie --- .../git/git-2.3.0/CVE-2015-7545_5.patch | 67 ++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch (limited to 'meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch') diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch new file mode 100644 index 0000000000..32dfbaedbe --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch @@ -0,0 +1,67 @@ +From b258116462399b318c86165c61a5c7123043cfd4 Mon Sep 17 00:00:00 2001 +From: Blake Burkhart +Date: Tue, 22 Sep 2015 18:06:20 -0400 +Subject: [PATCH] http: limit redirection depth + +By default, libcurl will follow circular http redirects +forever. Let's put a cap on this so that somebody who can +trigger an automated fetch of an arbitrary repository (e.g., +for CI) cannot convince git to loop infinitely. + +The value chosen is 20, which is the same default that +Firefox uses. + +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano + +Upstream-Status: Backport +https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/ +CVE: CVE-2015-7545 patch #1 +Signed-off-by: Armin Kuster + +--- + http.c | 1 + + t/lib-httpd/apache.conf | 3 +++ + t/t5812-proto-disable-http.sh | 4 ++++ + 3 files changed, 8 insertions(+) + +Index: git-2.3.0/http.c +=================================================================== +--- git-2.3.0.orig/http.c ++++ git-2.3.0/http.c +@@ -349,6 +349,7 @@ static CURL *get_curl_handle(void) + } + + curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1); ++ curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20); + #if LIBCURL_VERSION_NUM >= 0x071301 + curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL); + #elif LIBCURL_VERSION_NUM >= 0x071101 +Index: git-2.3.0/t/lib-httpd/apache.conf +=================================================================== +--- git-2.3.0.orig/t/lib-httpd/apache.conf ++++ git-2.3.0/t/lib-httpd/apache.conf +@@ -120,6 +120,9 @@ RewriteRule ^/smart-redir-auth/(.*)$ /au + RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301] + RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302] + ++RewriteRule ^/loop-redir/x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-(.*) /$1 [R=302] ++RewriteRule ^/loop-redir/(.*)$ /loop-redir/x-$1 [R=302] ++ + + LoadModule ssl_module modules/mod_ssl.so + +Index: git-2.3.0/t/t5812-proto-disable-http.sh +=================================================================== +--- git-2.3.0.orig/t/t5812-proto-disable-http.sh ++++ git-2.3.0/t/t5812-proto-disable-http.sh +@@ -25,5 +25,9 @@ test_expect_success 'curl redirects resp + } + ' + ++test_expect_success 'curl limits redirects' ' ++ test_must_fail git clone "$HTTPD_URL/loop-redir/smart/repo.git" ++' ++ + stop_httpd + test_done -- cgit v1.2.3-54-g00ecf