git: Security fixes CVE-2015-7545

CVE-2015-7545 git: arbitrary code execution via crafted URLs

(From OE-Core rev: 0c4bdd61acbc1fa1b9bfb167d8eaf90c8bccc25c)

Signed-off-by: Armin Kuster <akuster@mvista.com>

Already in Jethro, not needed in master due to shipping a version of git
which is already fixes (> 2.6.1)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

6 files changed, 888 insertions, 0 deletions

diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch
new file mode 100644
index 0000000000..6bea2268dc
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_1.patch
@@ -0,0 +1,445 @@
+From a5adaced2e13c135d5d9cc65be9eb95aa3bacedf Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 16 Sep 2015 13:12:52 -0400
+Subject: [PATCH] transport: add a protocol-whitelist environment variable
+
+If we are cloning an untrusted remote repository into a
+sandbox, we may also want to fetch remote submodules in
+order to get the complete view as intended by the other
+side. However, that opens us up to attacks where a malicious
+user gets us to clone something they would not otherwise
+have access to (this is not necessarily a problem by itself,
+but we may then act on the cloned contents in a way that
+exposes them to the attacker).
+
+Ideally such a setup would sandbox git entirely away from
+high-value items, but this is not always practical or easy
+to set up (e.g., OS network controls may block multiple
+protocols, and we would want to enable some but not others).
+
+We can help this case by providing a way to restrict
+particular protocols. We use a whitelist in the environment.
+This is more annoying to set up than a blacklist, but
+defaults to safety if the set of protocols git supports
+grows). If no whitelist is specified, we continue to default
+to allowing all protocols (this is an "unsafe" default, but
+since the minority of users will want this sandboxing
+effect, it is the only sensible one).
+
+A note on the tests: ideally these would all be in a single
+test file, but the git-daemon and httpd test infrastructure
+is an all-or-nothing proposition rather than a test-by-test
+prerequisite. By putting them all together, we would be
+unable to test the file-local code on machines without
+apache.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+/hom://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
+CVE: CVE-2015-7545 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ Documentation/git.txt          | 32 ++++++++++++++
+ connect.c                      |  5 +++
+ t/lib-proto-disable.sh         | 96 ++++++++++++++++++++++++++++++++++++++++++
+ t/t5810-proto-disable-local.sh | 14 ++++++
+ t/t5811-proto-disable-git.sh   | 20 +++++++++
+ t/t5812-proto-disable-http.sh  | 20 +++++++++
+ t/t5813-proto-disable-ssh.sh   | 20 +++++++++
+ t/t5814-proto-disable-ext.sh   | 18 ++++++++
+ transport-helper.c             |  2 +
+ transport.c                    | 21 ++++++++-
+ transport.h                    |  7 +++
+ 11 files changed, 254 insertions(+), 1 deletion(-)
+ create mode 100644 t/lib-proto-disable.sh
+ create mode 100755 t/t5810-proto-disable-local.sh
+ create mode 100755 t/t5811-proto-disable-git.sh
+ create mode 100755 t/t5812-proto-disable-http.sh
+ create mode 100755 t/t5813-proto-disable-ssh.sh
+ create mode 100755 t/t5814-proto-disable-ext.sh
+
+Index: git-2.3.0/Documentation/git.txt
+===================================================================
+--- git-2.3.0.orig/Documentation/git.txt
++++ git-2.3.0/Documentation/git.txt
+@@ -1023,6 +1023,38 @@ GIT_ICASE_PATHSPECS::
+        variable when it is invoked as the top level command by the
+        end user, to be recorded in the body of the reflog.
+ 
++`GIT_ALLOW_PROTOCOL`::
++       If set, provide a colon-separated list of protocols which are
++       allowed to be used with fetch/push/clone. This is useful to
++       restrict recursive submodule initialization from an untrusted
++       repository. Any protocol not mentioned will be disallowed (i.e.,
++       this is a whitelist, not a blacklist). If the variable is not
++       set at all, all protocols are enabled.  The protocol names
++       currently used by git are:
++
++         - `file`: any local file-based path (including `file://` URLs,
++           or local paths)
++
++         - `git`: the anonymous git protocol over a direct TCP
++           connection (or proxy, if configured)
++
++         - `ssh`: git over ssh (including `host:path` syntax,
++           `git+ssh://`, etc).
++
++         - `rsync`: git over rsync
++
++         - `http`: git over http, both "smart http" and "dumb http".
++           Note that this does _not_ include `https`; if you want both,
++           you should specify both as `http:https`.
++
++         - any external helpers are named by their protocol (e.g., use
++           `hg` to allow the `git-remote-hg` helper)
+++
++Note that this controls only git's internal protocol selection.
++If libcurl is used (e.g., by the `http` transport), it may
++redirect to other protocols. There is not currently any way to
++restrict this.
++
+ 
+ Discussion[[Discussion]]
+ ------------------------
+Index: git-2.3.0/connect.c
+===================================================================
+--- git-2.3.0.orig/connect.c
++++ git-2.3.0/connect.c
+@@ -9,6 +9,7 @@
+ #include "url.h"
+ #include "string-list.h"
+ #include "sha1-array.h"
++#include "transport.h"
+ 
+ static char *server_capabilities;
+ static const char *parse_feature_value(const char *, const char *, int *);
+@@ -674,6 +675,9 @@ struct child_process *git_connect(int fd
+                 * cannot connect.
+                 */
+                char *target_host = xstrdup(hostandport);
++
++        transport_check_allowed("git");
++
+                if (git_use_proxy(hostandport))
+                        conn = git_proxy_connect(fd, hostandport);
+                else
+@@ -704,6 +708,7 @@ struct child_process *git_connect(int fd
+                        int putty;
+                        char *ssh_host = hostandport;
+                        const char *port = NULL;
++                       transport_check_allowed("ssh");
+                        get_host_and_port(&ssh_host, &port);
+                        port = get_port_numeric(port);
+ 
+@@ -731,6 +736,7 @@ struct child_process *git_connect(int fd
+                        /* remove repo-local variables from the environment */
+                        conn->env = local_repo_env;
+                        conn->use_shell = 1;
++                       transport_check_allowed("file");
+                }
+                argv_array_push(&conn->args, cmd.buf);
+ 
+Index: git-2.3.0/t/lib-proto-disable.sh
+===================================================================
+--- /dev/null
++++ git-2.3.0/t/lib-proto-disable.sh
+@@ -0,0 +1,96 @@
++# Test routines for checking protocol disabling.
++
++# test cloning a particular protocol
++#   $1 - description of the protocol
++#   $2 - machine-readable name of the protocol
++#   $3 - the URL to try cloning
++test_proto () {
++       desc=$1
++       proto=$2
++       url=$3
++
++       test_expect_success "clone $1 (enabled)" '
++               rm -rf tmp.git &&
++               (
++                       GIT_ALLOW_PROTOCOL=$proto &&
++                       export GIT_ALLOW_PROTOCOL &&
++                       git clone --bare "$url" tmp.git
++               )
++       '
++
++       test_expect_success "fetch $1 (enabled)" '
++               (
++                       cd tmp.git &&
++                       GIT_ALLOW_PROTOCOL=$proto &&
++                       export GIT_ALLOW_PROTOCOL &&
++                       git fetch
++               )
++       '
++
++       test_expect_success "push $1 (enabled)" '
++               (
++                       cd tmp.git &&
++                       GIT_ALLOW_PROTOCOL=$proto &&
++                       export GIT_ALLOW_PROTOCOL &&
++                       git push origin HEAD:pushed
++               )
++       '
++
++       test_expect_success "push $1 (disabled)" '
++               (
++                       cd tmp.git &&
++                       GIT_ALLOW_PROTOCOL=none &&
++                       export GIT_ALLOW_PROTOCOL &&
++                       test_must_fail git push origin HEAD:pushed
++               )
++       '
++
++       test_expect_success "fetch $1 (disabled)" '
++               (
++                       cd tmp.git &&
++                       GIT_ALLOW_PROTOCOL=none &&
++                       export GIT_ALLOW_PROTOCOL &&
++                       test_must_fail git fetch
++               )
++       '
++
++       test_expect_success "clone $1 (disabled)" '
++               rm -rf tmp.git &&
++               (
++                       GIT_ALLOW_PROTOCOL=none &&
++                       export GIT_ALLOW_PROTOCOL &&
++                       test_must_fail git clone --bare "$url" tmp.git
++               )
++       '
++}
++
++# set up an ssh wrapper that will access $host/$repo in the
++# trash directory, and enable it for subsequent tests.
++setup_ssh_wrapper () {
++       test_expect_success 'setup ssh wrapper' '
++               write_script ssh-wrapper <<-\EOF &&
++               echo >&2 "ssh: $*"
++               host=$1; shift
++               cd "$TRASH_DIRECTORY/$host" &&
++               eval "$*"
++               EOF
++               GIT_SSH="$PWD/ssh-wrapper" &&
++               export GIT_SSH &&
++               export TRASH_DIRECTORY
++       '
++}
++
++# set up a wrapper that can be used with remote-ext to
++# access repositories in the "remote" directory of trash-dir,
++# like "ext::fake-remote %S repo.git"
++setup_ext_wrapper () {
++       test_expect_success 'setup ext wrapper' '
++               write_script fake-remote <<-\EOF &&
++               echo >&2 "fake-remote: $*"
++               cd "$TRASH_DIRECTORY/remote" &&
++               eval "$*"
++               EOF
++               PATH=$TRASH_DIRECTORY:$PATH &&
++               export TRASH_DIRECTORY
++       '
++}
+Index: git-2.3.0/t/t5810-proto-disable-local.sh
+===================================================================
+--- /dev/null
++++ git-2.3.0/t/t5810-proto-disable-local.sh
+@@ -0,0 +1,14 @@
++#!/bin/sh
++
++test_description='test disabling of local paths in clone/fetch'
++. ./test-lib.sh
++. "$TEST_DIRECTORY/lib-proto-disable.sh"
++
++test_expect_success 'setup repository to clone' '
++       test_commit one
++'
++
++test_proto "file://" file "file://$PWD"
++test_proto "path" file .
++
++test_done
+Index: git-2.3.0/t/t5811-proto-disable-git.sh
+===================================================================
+--- /dev/null
++++ git-2.3.0/t/t5811-proto-disable-git.sh
+@@ -0,0 +1,20 @@
++#!/bin/sh
++
++test_description='test disabling of git-over-tcp in clone/fetch'
++. ./test-lib.sh
++. "$TEST_DIRECTORY/lib-proto-disable.sh"
++. "$TEST_DIRECTORY/lib-git-daemon.sh"
++start_git_daemon
++
++test_expect_success 'create git-accessible repo' '
++       bare="$GIT_DAEMON_DOCUMENT_ROOT_PATH/repo.git" &&
++       test_commit one &&
++       git --bare init "$bare" &&
++       git push "$bare" HEAD &&
++       >"$bare/git-daemon-export-ok" &&
++       git -C "$bare" config daemon.receivepack true
++'
++
++test_proto "git://" git "$GIT_DAEMON_URL/repo.git"
++
++test_done
+Index: git-2.3.0/t/t5812-proto-disable-http.sh
+===================================================================
+--- /dev/null
++++ git-2.3.0/t/t5812-proto-disable-http.sh
+@@ -0,0 +1,20 @@
++#!/bin/sh
++
++test_description='test disabling of git-over-http in clone/fetch'
++. ./test-lib.sh
++. "$TEST_DIRECTORY/lib-proto-disable.sh"
++. "$TEST_DIRECTORY/lib-httpd.sh"
++start_httpd
++
++test_expect_success 'create git-accessible repo' '
++       bare="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
++       test_commit one &&
++       git --bare init "$bare" &&
++       git push "$bare" HEAD &&
++       git -C "$bare" config http.receivepack true
++'
++
++test_proto "smart http" http "$HTTPD_URL/smart/repo.git"
++
++stop_httpd
++test_done
+Index: git-2.3.0/t/t5813-proto-disable-ssh.sh
+===================================================================
+--- /dev/null
++++ git-2.3.0/t/t5813-proto-disable-ssh.sh
+@@ -0,0 +1,20 @@
++#!/bin/sh
++
++test_description='test disabling of git-over-ssh in clone/fetch'
++. ./test-lib.sh
++. "$TEST_DIRECTORY/lib-proto-disable.sh"
++
++setup_ssh_wrapper
++
++test_expect_success 'setup repository to clone' '
++       test_commit one &&
++       mkdir remote &&
++       git init --bare remote/repo.git &&
++       git push remote/repo.git HEAD
++'
++
++test_proto "host:path" ssh "remote:repo.git"
++test_proto "ssh://" ssh "ssh://remote/$PWD/remote/repo.git"
++test_proto "git+ssh://" ssh "git+ssh://remote/$PWD/remote/repo.git"
++
++test_done
+Index: git-2.3.0/t/t5814-proto-disable-ext.sh
+===================================================================
+--- /dev/null
++++ git-2.3.0/t/t5814-proto-disable-ext.sh
+@@ -0,0 +1,18 @@
++#!/bin/sh
++
++test_description='test disabling of remote-helper paths in clone/fetch'
++. ./test-lib.sh
++. "$TEST_DIRECTORY/lib-proto-disable.sh"
++
++setup_ext_wrapper
++
++test_expect_success 'setup repository to clone' '
++       test_commit one &&
++       mkdir remote &&
++       git init --bare remote/repo.git &&
++       git push remote/repo.git HEAD
++'
++
++test_proto "remote-helper" ext "ext::fake-remote %S repo.git"
++
++test_done
+Index: git-2.3.0/transport-helper.c
+===================================================================
+--- git-2.3.0.orig/transport-helper.c
++++ git-2.3.0/transport-helper.c
+@@ -1036,6 +1036,8 @@ int transport_helper_init(struct transpo
+        struct helper_data *data = xcalloc(1, sizeof(*data));
+        data->name = name;
+ 
++       transport_check_allowed(name);
++
+        if (getenv("GIT_TRANSPORT_HELPER_DEBUG"))
+                debug = 1;
+ 
+Index: git-2.3.0/transport.c
+===================================================================
+--- git-2.3.0.orig/transport.c
++++ git-2.3.0/transport.c
+@@ -907,6 +907,20 @@ static int external_specification_len(co
+        return strchr(url, ':') - url;
+ }
+ 
++void transport_check_allowed(const char *type)
++{
++       struct string_list allowed = STRING_LIST_INIT_DUP;
++       const char *v = getenv("GIT_ALLOW_PROTOCOL");
++
++       if (!v)
++               return;
++
++       string_list_split(&allowed, v, ':', -1);
++       if (!unsorted_string_list_has_string(&allowed, type))
++               die("transport '%s' not allowed", type);
++       string_list_clear(&allowed, 0);
++}
++
+ struct transport *transport_get(struct remote *remote, const char *url)
+ {
+        const char *helper;
+@@ -938,12 +952,14 @@ struct transport *transport_get(struct r
+        if (helper) {
+                transport_helper_init(ret, helper);
+        } else if (starts_with(url, "rsync:")) {
++               transport_check_allowed("rsync");
+                ret->get_refs_list = get_refs_via_rsync;
+                ret->fetch = fetch_objs_via_rsync;
+                ret->push = rsync_transport_push;
+                ret->smart_options = NULL;
+        } else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
+                struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
++               transport_check_allowed("file");
+                ret->data = data;
+                ret->get_refs_list = get_refs_from_bundle;
+                ret->fetch = fetch_refs_from_bundle;
+@@ -955,7 +971,10 @@ struct transport *transport_get(struct r
+                || starts_with(url, "ssh://")
+                || starts_with(url, "git+ssh://")
+                || starts_with(url, "ssh+git://")) {
+-               /* These are builtin smart transports. */
++               /*
++                * These are builtin smart transports; "allowed" transports
++                * will be checked individually in git_connect.
++                */
+                struct git_transport_data *data = xcalloc(1, sizeof(*data));
+                ret->data = data;
+                ret->set_option = NULL;
+Index: git-2.3.0/transport.h
+===================================================================
+--- git-2.3.0.orig/transport.h
++++ git-2.3.0/transport.h
+@@ -132,6 +132,13 @@ struct transport {
+ /* Returns a transport suitable for the url */
+ struct transport *transport_get(struct remote *, const char *);
+ 
++/*
++ * Check whether a transport is allowed by the environment,
++ * and die otherwise. type should generally be the URL scheme,
++ * as described in Documentation/git.txt
++ */
++void transport_check_allowed(const char *type);
++
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch
new file mode 100644
index 0000000000..8912b6a48e
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch
@@ -0,0 +1,113 @@
+From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 16 Sep 2015 13:13:12 -0400
+Subject: [PATCH] submodule: allow only certain protocols for submodule fetches
+
+Some protocols (like git-remote-ext) can execute arbitrary
+code found in the URL. The URLs that submodules use may come
+from arbitrary sources (e.g., .gitmodules files in a remote
+repository). Let's restrict submodules to fetching from a
+known-good subset of protocols.
+
+Note that we apply this restriction to all submodule
+commands, whether the URL comes from .gitmodules or not.
+This is more restrictive than we need to be; for example, in
+the tests we run:
+
+  git submodule add ext::...
+
+which should be trusted, as the URL comes directly from the
+command line provided by the user. But doing it this way is
+simpler, and makes it much less likely that we would miss a
+case. And since such protocols should be an exception
+(especially because nobody who clones from them will be able
+to update the submodules!), it's not likely to inconvenience
+anyone in practice.
+
+Reported-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
+CVE: CVE-2015-7545 patch #1 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ git-submodule.sh            |  9 +++++++++
+ t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+ create mode 100755 t/t5815-submodule-protos.sh
+
+diff --git a/git-submodule.sh b/git-submodule.sh
+index 36797c3..78c2740 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -22,6 +22,15 @@ require_work_tree
+ wt_prefix=$(git rev-parse --show-prefix)
+ cd_to_toplevel
+ 
++# Restrict ourselves to a vanilla subset of protocols; the URLs
++# we get are under control of a remote repository, and we do not
++# want them kicking off arbitrary git-remote-* programs.
++#
++# If the user has already specified a set of allowed protocols,
++# we assume they know what they're doing and use that instead.
++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
++export GIT_ALLOW_PROTOCOL
++
+ command=
+ branch=
+ force=
+diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh
+new file mode 100755
+index 0000000..06f55a1
+--- /dev/null
++++ b/t/t5815-submodule-protos.sh
+@@ -0,0 +1,43 @@
++#!/bin/sh
++
++test_description='test protocol whitelisting with submodules'
++. ./test-lib.sh
++. "$TEST_DIRECTORY"/lib-proto-disable.sh
++
++setup_ext_wrapper
++setup_ssh_wrapper
++
++test_expect_success 'setup repository with submodules' '
++       mkdir remote &&
++       git init remote/repo.git &&
++       (cd remote/repo.git && test_commit one) &&
++       # submodule-add should probably trust what we feed it on the cmdline,
++       # but its implementation is overly conservative.
++       GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module &&
++       GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module &&
++       git commit -m "add submodules"
++'
++
++test_expect_success 'clone with recurse-submodules fails' '
++       test_must_fail git clone --recurse-submodules . dst
++'
++
++test_expect_success 'setup individual updates' '
++       rm -rf dst &&
++       git clone . dst &&
++       git -C dst submodule init
++'
++
++test_expect_success 'update of ssh allowed' '
++       git -C dst submodule update ssh-module
++'
++
++test_expect_success 'update of ext not allowed' '
++       test_must_fail git -C dst submodule update ext-module
++'
++
++test_expect_success 'user can override whitelist' '
++       GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module
++'
++
++test_done
+-- 
+2.3.5
+
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
new file mode 100644
index 0000000000..623da07460
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_3.patch
@@ -0,0 +1,110 @@
+From 5088d3b38775f8ac12d7f77636775b16059b67ef Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Tue, 22 Sep 2015 18:03:49 -0400
+Subject: [PATCH] transport: refactor protocol whitelist code
+
+The current callers only want to die when their transport is
+prohibited. But future callers want to query the mechanism
+without dying.
+
+Let's break out a few query functions, and also save the
+results in a static list so we don't have to re-parse for
+each query.
+
+Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
+CVE: CVE-2015-7545 patch #1 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ transport.c | 38 ++++++++++++++++++++++++++++++--------
+ transport.h | 15 +++++++++++++--
+ 2 files changed, 43 insertions(+), 10 deletions(-)
+
+Index: git-2.3.0/transport.c
+===================================================================
+--- git-2.3.0.orig/transport.c
++++ git-2.3.0/transport.c
+@@ -907,18 +907,40 @@ static int external_specification_len(co
+        return strchr(url, ':') - url;
+ }
+ 
+-void transport_check_allowed(const char *type)
++static const struct string_list *protocol_whitelist(void)
+ {
+-       struct string_list allowed = STRING_LIST_INIT_DUP;
+-       const char *v = getenv("GIT_ALLOW_PROTOCOL");
++       static int enabled = -1;
++       static struct string_list allowed = STRING_LIST_INIT_DUP;
++
++       if (enabled < 0) {
++               const char *v = getenv("GIT_ALLOW_PROTOCOL");
++               if (v) {
++                       string_list_split(&allowed, v, ':', -1);
++                       string_list_sort(&allowed);
++                       enabled = 1;
++               } else {
++                       enabled = 0;
++               }
++       }
++
++       return enabled ? &allowed : NULL;
++}
+ 
+-       if (!v)
+-               return;
++int is_transport_allowed(const char *type)
++{
++       const struct string_list *allowed = protocol_whitelist();
++       return !allowed || string_list_has_string(allowed, type);
++}
+ 
+-       string_list_split(&allowed, v, ':', -1);
+-       if (!unsorted_string_list_has_string(&allowed, type))
++void transport_check_allowed(const char *type)
++{
++       if (!is_transport_allowed(type))
+                die("transport '%s' not allowed", type);
+-       string_list_clear(&allowed, 0);
++}
++
++int transport_restrict_protocols(void)
++{
++       return !!protocol_whitelist();
+ }
+ 
+ struct transport *transport_get(struct remote *remote, const char *url)
+Index: git-2.3.0/transport.h
+===================================================================
+--- git-2.3.0.orig/transport.h
++++ git-2.3.0/transport.h
+@@ -133,12 +133,23 @@ struct transport {
+ struct transport *transport_get(struct remote *, const char *);
+ 
+ /*
++ * Check whether a transport is allowed by the environment. Type should
++ * generally be the URL scheme, as described in Documentation/git.txt
++ */
++int is_transport_allowed(const char *type);
++
++/*
+  * Check whether a transport is allowed by the environment,
+- * and die otherwise. type should generally be the URL scheme,
+- * as described in Documentation/git.txt
++ * and die otherwise.
+  */
+ void transport_check_allowed(const char *type);
+ 
++/*
++ * Returns true if the user has attempted to turn on protocol
++ * restrictions at all.
++ */
++int transport_restrict_protocols(void);
++
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
new file mode 100644
index 0000000000..fafd3c2033
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch
@@ -0,0 +1,146 @@
+From f4113cac0c88b4f36ee6f3abf3218034440a68e3 Mon Sep 17 00:00:00 2001
+From: Blake Burkhart <bburky@bburky.com>
+Date: Tue, 22 Sep 2015 18:06:04 -0400
+Subject: [PATCH] http: limit redirection to protocol-whitelist
+
+Previously, libcurl would follow redirection to any protocol
+it was compiled for support with. This is desirable to allow
+redirection from HTTP to HTTPS. However, it would even
+successfully allow redirection from HTTP to SFTP, a protocol
+that git does not otherwise support at all. Furthermore
+git's new protocol-whitelisting could be bypassed by
+following a redirect within the remote helper, as it was
+only enforced at transport selection time.
+
+This patch limits redirects within libcurl to HTTP, HTTPS,
+FTP and FTPS. If there is a protocol-whitelist present, this
+list is limited to those also allowed by the whitelist. As
+redirection happens from within libcurl, it is impossible
+for an HTTP redirect to a protocol implemented within
+another remote helper.
+
+When the curl version git was compiled with is too old to
+support restrictions on protocol redirection, we warn the
+user if GIT_ALLOW_PROTOCOL restrictions were requested. This
+is a little inaccurate, as even without that variable in the
+environment, we would still restrict SFTP, etc, and we do
+not warn in that case. But anything else means we would
+literally warn every time git accesses an http remote.
+
+This commit includes a test, but it is not as robust as we
+would hope. It redirects an http request to ftp, and checks
+that curl complained about the protocol, which means that we
+are relying on curl's specific error message to know what
+happened. Ideally we would redirect to a working ftp server
+and confirm that we can clone without protocol restrictions,
+and not with them. But we do not have a portable way of
+providing an ftp server, nor any other protocol that curl
+supports (https is the closest, but we would have to deal
+with certificates).
+
+[jk: added test and version warning]
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
+CVE: CVE-2015-7545 patch #1 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ Documentation/git.txt         |  5 -----
+ http.c                        | 17 +++++++++++++++++
+ t/lib-httpd/apache.conf       |  1 +
+ t/t5812-proto-disable-http.sh |  9 +++++++++
+ 4 files changed, 27 insertions(+), 5 deletions(-)
+
+Index: git-2.3.0/Documentation/git.txt
+===================================================================
+--- git-2.3.0.orig/Documentation/git.txt
++++ git-2.3.0/Documentation/git.txt
+@@ -1049,11 +1049,6 @@ GIT_ICASE_PATHSPECS::
+ 
+          - any external helpers are named by their protocol (e.g., use
+            `hg` to allow the `git-remote-hg` helper)
+-+
+-Note that this controls only git's internal protocol selection.
+-If libcurl is used (e.g., by the `http` transport), it may
+-redirect to other protocols. There is not currently any way to
+-restrict this.
+ 
+ 
+ Discussion[[Discussion]]
+Index: git-2.3.0/http.c
+===================================================================
+--- git-2.3.0.orig/http.c
++++ git-2.3.0/http.c
+@@ -8,6 +8,7 @@
+ #include "credential.h"
+ #include "version.h"
+ #include "pkt-line.h"
++#include "transport.h"
+ 
+ int active_requests;
+ int http_is_verbose;
+@@ -300,6 +301,7 @@ static void set_curl_keepalive(CURL *c)
+ static CURL *get_curl_handle(void)
+ {
+        CURL *result = curl_easy_init();
++       long allowed_protocols = 0;
+ 
+        if (!result)
+                die("curl_easy_init failed");
+@@ -352,6 +354,21 @@ static CURL *get_curl_handle(void)
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+        curl_easy_setopt(result, CURLOPT_POST301, 1);
+ #endif
++#if LIBCURL_VERSION_NUM >= 0x071304
++       if (is_transport_allowed("http"))
++               allowed_protocols |= CURLPROTO_HTTP;
++       if (is_transport_allowed("https"))
++               allowed_protocols |= CURLPROTO_HTTPS;
++       if (is_transport_allowed("ftp"))
++               allowed_protocols |= CURLPROTO_FTP;
++       if (is_transport_allowed("ftps"))
++               allowed_protocols |= CURLPROTO_FTPS;
++       curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
++#else
++       if (transport_restrict_protocols())
++               warning("protocol restrictions not applied to curl redirects because\n"
++                       "your curl version is too old (>= 7.19.4)");
++#endif
+ 
+        if (getenv("GIT_CURL_VERBOSE"))
+                curl_easy_setopt(result, CURLOPT_VERBOSE, 1);
+Index: git-2.3.0/t/lib-httpd/apache.conf
+===================================================================
+--- git-2.3.0.orig/t/lib-httpd/apache.conf
++++ git-2.3.0/t/lib-httpd/apache.conf
+@@ -118,6 +118,7 @@ RewriteRule ^/smart-redir-perm/(.*)$ /sm
+ RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302]
+ RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301]
+ RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
++RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302]
+ 
+ <IfDefine SSL>
+ LoadModule ssl_module modules/mod_ssl.so
+Index: git-2.3.0/t/t5812-proto-disable-http.sh
+===================================================================
+--- git-2.3.0.orig/t/t5812-proto-disable-http.sh
++++ git-2.3.0/t/t5812-proto-disable-http.sh
+@@ -16,5 +16,14 @@ test_expect_success 'create git-accessib
+ 
+ test_proto "smart http" http "$HTTPD_URL/smart/repo.git"
+ 
++test_expect_success 'curl redirects respect whitelist' '
++       test_must_fail env GIT_ALLOW_PROTOCOL=http:https \
++               git clone "$HTTPD_URL/ftp-redir/repo.git" 2>stderr &&
++       {
++               test_i18ngrep "ftp.*disabled" stderr ||
++               test_i18ngrep "your curl version is too old"
++       }
++'
++
+ stop_httpd
+ test_done
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch
new file mode 100644
index 0000000000..32dfbaedbe
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_5.patch
@@ -0,0 +1,67 @@
+From b258116462399b318c86165c61a5c7123043cfd4 Mon Sep 17 00:00:00 2001
+From: Blake Burkhart <bburky@bburky.com>
+Date: Tue, 22 Sep 2015 18:06:20 -0400
+Subject: [PATCH] http: limit redirection depth
+
+By default, libcurl will follow circular http redirects
+forever. Let's put a cap on this so that somebody who can
+trigger an automated fetch of an arbitrary repository (e.g.,
+for CI) cannot convince git to loop infinitely.
+
+The value chosen is 20, which is the same default that
+Firefox uses.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/
+CVE: CVE-2015-7545 patch #1 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ http.c                        | 1 +
+ t/lib-httpd/apache.conf       | 3 +++
+ t/t5812-proto-disable-http.sh | 4 ++++
+ 3 files changed, 8 insertions(+)
+
+Index: git-2.3.0/http.c
+===================================================================
+--- git-2.3.0.orig/http.c
++++ git-2.3.0/http.c
+@@ -349,6 +349,7 @@ static CURL *get_curl_handle(void)
+        }
+ 
+        curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1);
++       curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20);
+ #if LIBCURL_VERSION_NUM >= 0x071301
+        curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL);
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+Index: git-2.3.0/t/lib-httpd/apache.conf
+===================================================================
+--- git-2.3.0.orig/t/lib-httpd/apache.conf
++++ git-2.3.0/t/lib-httpd/apache.conf
+@@ -120,6 +120,9 @@ RewriteRule ^/smart-redir-auth/(.*)$ /au
+ RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
+ RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302]
+ 
++RewriteRule ^/loop-redir/x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-(.*) /$1 [R=302]
++RewriteRule ^/loop-redir/(.*)$ /loop-redir/x-$1 [R=302]
++
+ <IfDefine SSL>
+ LoadModule ssl_module modules/mod_ssl.so
+ 
+Index: git-2.3.0/t/t5812-proto-disable-http.sh
+===================================================================
+--- git-2.3.0.orig/t/t5812-proto-disable-http.sh
++++ git-2.3.0/t/t5812-proto-disable-http.sh
+@@ -25,5 +25,9 @@ test_expect_success 'curl redirects resp
+        }
+ '
+ 
++test_expect_success 'curl limits redirects' '
++       test_must_fail git clone "$HTTPD_URL/loop-redir/smart/repo.git"
++'
++
+ stop_httpd
+ test_done
diff --git a/meta/recipes-devtools/git/git_2.3.0.bb b/meta/recipes-devtools/git/git_2.3.0.bb
index 1611f6421b..2575ed34cf 100644
--- a/meta/recipes-devtools/git/git_2.3.0.bb
+++ b/meta/recipes-devtools/git/git_2.3.0.bb
@@ -1,5 +1,12 @@
 require git.inc
 
+SRC_URI += "\
+            file://CVE-2015-7545_1.patch \
+            file://CVE-2015-7545_2.patch \
+            file://CVE-2015-7545_3.patch \
+            file://CVE-2015-7545_4.patch \
+            file://CVE-2015-7545_5.patch \
+            "
 SRC_URI[tarball.md5sum] = "edf994cf34cd3354dadcdfa6b4292335"
 SRC_URI[tarball.sha256sum] = "ba2fe814e709a5d0f034ebe82083fce7feed0899b3a8c8b3adf1c5a85d1ce9ac"
 SRC_URI[manpages.md5sum] = "620797eb73b281d0706979ae8038bbd7"