From e8c96131d952f7812a8f8a53845c0ba709192d86 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sun, 31 Jan 2016 14:27:05 -0800 Subject: git: Security fix CVE-2015-7545 CVE-2015-7545 git: arbitrary code execution via crafted URLs (From OE-Core rev: 1e0780427bad448c5b3644134b581ecf1d53af84) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../git/git-2.5.0/0009-CVE-2015-7545-2.patch | 112 +++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch (limited to 'meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch') diff --git a/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch b/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch new file mode 100644 index 0000000000..8000e26d70 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.5.0/0009-CVE-2015-7545-2.patch @@ -0,0 +1,112 @@ +From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Wed, 16 Sep 2015 13:13:12 -0400 +Subject: [PATCH] submodule: allow only certain protocols for submodule fetches + +Some protocols (like git-remote-ext) can execute arbitrary +code found in the URL. The URLs that submodules use may come +from arbitrary sources (e.g., .gitmodules files in a remote +repository). Let's restrict submodules to fetching from a +known-good subset of protocols. + +Note that we apply this restriction to all submodule +commands, whether the URL comes from .gitmodules or not. +This is more restrictive than we need to be; for example, in +the tests we run: + + git submodule add ext::... + +which should be trusted, as the URL comes directly from the +command line provided by the user. But doing it this way is +simpler, and makes it much less likely that we would miss a +case. And since such protocols should be an exception +(especially because nobody who clones from them will be able +to update the submodules!), it's not likely to inconvenience +anyone in practice. + +Reported-by: Blake Burkhart +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano + +Upstream-Status: Backport + +http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.5.0-1ubuntu0.1.debian.tar.xz + +CVE: CVE-2015-7545 #2 +Singed-off-by: Armin Kuster + +--- + git-submodule.sh | 9 +++++++++ + t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + create mode 100755 t/t5815-submodule-protos.sh + +diff --git a/git-submodule.sh b/git-submodule.sh +index 36797c3..78c2740 100755 +--- a/git-submodule.sh ++++ b/git-submodule.sh +@@ -22,6 +22,15 @@ require_work_tree + wt_prefix=$(git rev-parse --show-prefix) + cd_to_toplevel + ++# Restrict ourselves to a vanilla subset of protocols; the URLs ++# we get are under control of a remote repository, and we do not ++# want them kicking off arbitrary git-remote-* programs. ++# ++# If the user has already specified a set of allowed protocols, ++# we assume they know what they're doing and use that instead. ++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} ++export GIT_ALLOW_PROTOCOL ++ + command= + branch= + force= +diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh +new file mode 100755 +index 0000000..06f55a1 +--- /dev/null ++++ b/t/t5815-submodule-protos.sh +@@ -0,0 +1,43 @@ ++#!/bin/sh ++ ++test_description='test protocol whitelisting with submodules' ++. ./test-lib.sh ++. "$TEST_DIRECTORY"/lib-proto-disable.sh ++ ++setup_ext_wrapper ++setup_ssh_wrapper ++ ++test_expect_success 'setup repository with submodules' ' ++ mkdir remote && ++ git init remote/repo.git && ++ (cd remote/repo.git && test_commit one) && ++ # submodule-add should probably trust what we feed it on the cmdline, ++ # but its implementation is overly conservative. ++ GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module && ++ GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module && ++ git commit -m "add submodules" ++' ++ ++test_expect_success 'clone with recurse-submodules fails' ' ++ test_must_fail git clone --recurse-submodules . dst ++' ++ ++test_expect_success 'setup individual updates' ' ++ rm -rf dst && ++ git clone . dst && ++ git -C dst submodule init ++' ++ ++test_expect_success 'update of ssh allowed' ' ++ git -C dst submodule update ssh-module ++' ++ ++test_expect_success 'update of ext not allowed' ' ++ test_must_fail git -C dst submodule update ext-module ++' ++ ++test_expect_success 'user can override whitelist' ' ++ GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module ++' ++ ++test_done -- cgit v1.2.3-54-g00ecf