From 3412c7b7131fb3b94075d5c654df1908701f64a2 Mon Sep 17 00:00:00 2001 From: Li Zhou Date: Mon, 27 Apr 2020 17:17:49 +0800 Subject: git: Security Advisory - git - CVE-2020-11008 Backport the 1st -- 9th patches listed by to solve CVE-2020-11008. Also backport the 2nd -- 4th patches listed by for CVE-2020-5260 (not necessary, and only the 1st patch is necessary for this CVE), because some of the above 9 patches are based on them. (From OE-Core rev: 63c7f76912f097cdfb95296778c42887b7336925) Signed-off-by: Li Zhou Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie --- .../git/git/CVE-2020-11008-6.patch | 84 ++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-6.patch (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-6.patch') diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch new file mode 100644 index 0000000000..6b36893030 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch @@ -0,0 +1,84 @@ +From 883508bcebe87fbe7fb7392272e930c27c30fdc2 Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Sat, 18 Apr 2020 20:53:09 -0700 +Subject: [PATCH 09/12] credential: die() when parsing invalid urls + +When we try to initialize credential loading by URL and find that the +URL is invalid, we set all fields to NULL in order to avoid acting on +malicious input. Later when we request credentials, we diagonse the +erroneous input: + + fatal: refusing to work with credential missing host field + +This is problematic in two ways: + +- The message doesn't tell the user *why* we are missing the host + field, so they can't tell from this message alone how to recover. + There can be intervening messages after the original warning of + bad input, so the user may not have the context to put two and two + together. + +- The error only occurs when we actually need to get a credential. If + the URL permits anonymous access, the only encouragement the user gets + to correct their bogus URL is a quiet warning. + + This is inconsistent with the check we perform in fsck, where any use + of such a URL as a submodule is an error. + +When we see such a bogus URL, let's not try to be nice and continue +without helpers. Instead, die() immediately. This is simpler and +obviously safe. And there's very little chance of disrupting a normal +workflow. + +It's _possible_ that somebody has a legitimate URL with a raw newline in +it. It already wouldn't work with credential helpers, so this patch +steps that up from an inconvenience to "we will refuse to work with it +at all". If such a case does exist, we should figure out a way to work +with it (especially if the newline is only in the path component, which +we normally don't even pass to helpers). But until we see a real report, +we're better off being defensive. + +Reported-by: Carlo Arenas +Signed-off-by: Jeff King +Signed-off-by: Jonathan Nieder + +Upstream-Status: Backport +CVE: CVE-2020-11008 (6) +Signed-off-by: Li Zhou +--- + credential.c | 6 ++---- + t/t0300-credentials.sh | 3 +-- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/credential.c b/credential.c +index e08ed84..22649d5 100644 +--- a/credential.c ++++ b/credential.c +@@ -408,8 +408,6 @@ int credential_from_url_gently(struct credential *c, const char *url, + + void credential_from_url(struct credential *c, const char *url) + { +- if (credential_from_url_gently(c, url, 0) < 0) { +- warning(_("skipping credential lookup for url: %s"), url); +- credential_clear(c); +- } ++ if (credential_from_url_gently(c, url, 0) < 0) ++ die(_("credential url cannot be parsed: %s"), url); + } +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index 646f845..efed3ea 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -406,8 +406,7 @@ test_expect_success 'url parser rejects embedded newlines' ' + EOF + cat >expect <<-\EOF && + warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/ +- warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/ +- fatal: refusing to work with credential missing host field ++ fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/ + EOF + test_i18ncmp expect stderr + ' +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf