From e006c87e225a8bf1c0338b54fbbdbfbcd3634ff6 Mon Sep 17 00:00:00 2001 From: Minjae Kim Date: Thu, 25 Nov 2021 19:49:12 +0900 Subject: git: fix CVE-2021-40330 git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. Upstream-Status: Backport [https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473] CVE: CVE-2021-40330 (From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b) Signed-off-by: Minjae Kim Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- meta/recipes-devtools/git/git.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'meta/recipes-devtools/git/git.inc') diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 2b75bed055..a89dd42e8b 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -10,7 +10,9 @@ PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ file://CVE-2021-21300.patch \ - file://fixsort.patch" + file://fixsort.patch \ + file://CVE-2021-40330.patch \ + " S = "${WORKDIR}/git-${PV}" -- cgit v1.2.3-54-g00ecf