python3-git: fix for CVE-2022-24439

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: https://github.com/gitpython-developers/GitPython/discussions/1529 https://github.com/gitpython-developers/GitPython/pull/1518 https://github.com/gitpython-developers/GitPython/pull/1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Narpat Mali <narpat.mali@windriver.com> 2023-01-12 14:58:37 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-26 23:37:05 +0000
commit: 07213601fd865e698b4f7f6bd61d824e9d8181d2 (patch)
tree: 1babdcb8db163079a69026de690320cb36937568 /meta/recipes-devtools/python/python3-git_3.1.27.bb
parent: fd36d262b86192bbc547f9a1e7aada5e94dccb8d (diff)
download: poky-07213601fd865e698b4f7f6bd61d824e9d8181d2.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-git_3.1.27.bb b/meta/recipes-devtools/python/python3-git_3.1.27.bb
index fb1bae8f8e..1bd1426926 100644
--- a/meta/recipes-devtools/python/python3-git_3.1.27.bb
+++ b/meta/recipes-devtools/python/python3-git_3.1.27.bb
@@ -12,6 +12,10 @@ PYPI_PACKAGE = "GitPython"
 inherit pypi python_setuptools_build_meta
+SRC_URI += "file://0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch \
+            file://0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch \
+           "
 SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704"
 DEPENDS += " ${PYTHON_PN}-gitdb"
author	Narpat Mali <narpat.mali@windriver.com>	2023-01-12 14:58:37 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-26 23:37:05 +0000
commit	07213601fd865e698b4f7f6bd61d824e9d8181d2 (patch)
tree	1babdcb8db163079a69026de690320cb36937568 /meta/recipes-devtools/python/python3-git_3.1.27.bb
parent	fd36d262b86192bbc547f9a1e7aada5e94dccb8d (diff)
download	poky-07213601fd865e698b4f7f6bd61d824e9d8181d2.tar.gz

diff --git a/meta/recipes-devtools/python/python3-git_3.1.27.bb b/meta/recipes-devtools/python/python3-git_3.1.27.bb index fb1bae8f8e..1bd1426926 100644 --- a/meta/recipes-devtools/python/python3-git_3.1.27.bb +++ b/meta/recipes-devtools/python/python3-git_3.1.27.bb
@@ -12,6 +12,10 @@ PYPI_PACKAGE = "GitPython"
12		12
13	inherit pypi python_setuptools_build_meta	13	inherit pypi python_setuptools_build_meta
14		14
		15	SRC_URI += "file://0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch \
		16	file://0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch \
		17	"
		18
15	SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704"	19	SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704"
16		20
17	DEPENDS += " ${PYTHON_PN}-gitdb"	21	DEPENDS += " ${PYTHON_PN}-gitdb"