diff options
Diffstat (limited to 'yocto-poky/meta/recipes-devtools/git/git-2.5.0/0010-CVE-2015-7545-3.patch')
-rw-r--r-- | yocto-poky/meta/recipes-devtools/git/git-2.5.0/0010-CVE-2015-7545-3.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/yocto-poky/meta/recipes-devtools/git/git-2.5.0/0010-CVE-2015-7545-3.patch b/yocto-poky/meta/recipes-devtools/git/git-2.5.0/0010-CVE-2015-7545-3.patch new file mode 100644 index 000000000..b6edc9d7c --- /dev/null +++ b/yocto-poky/meta/recipes-devtools/git/git-2.5.0/0010-CVE-2015-7545-3.patch @@ -0,0 +1,112 @@ +From 5088d3b38775f8ac12d7f77636775b16059b67ef Mon Sep 17 00:00:00 2001 +From: Jeff King <peff@peff.net> +Date: Tue, 22 Sep 2015 18:03:49 -0400 +Subject: [PATCH] transport: refactor protocol whitelist code + +The current callers only want to die when their transport is +prohibited. But future callers want to query the mechanism +without dying. + +Let's break out a few query functions, and also save the +results in a static list so we don't have to re-parse for +each query. + +Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com> +Signed-off-by: Jeff King <peff@peff.net> +Signed-off-by: Junio C Hamano <gitster@pobox.com> + +Upstream-Status: Backport + +http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.5.0-1ubuntu0.1.debian.tar.xz + +CVE: CVE-2015-7545 #3 +Singed-off-by: Armin Kuster <akuster@mvista.com> + +--- + transport.c | 38 ++++++++++++++++++++++++++++++-------- + transport.h | 15 +++++++++++++-- + 2 files changed, 43 insertions(+), 10 deletions(-) + +Index: git-2.5.0/transport.c +=================================================================== +--- git-2.5.0.orig/transport.c 2015-12-11 12:47:09.547784038 -0500 ++++ git-2.5.0/transport.c 2015-12-11 12:47:09.543784009 -0500 +@@ -912,18 +912,40 @@ + return strchr(url, ':') - url; + } + +-void transport_check_allowed(const char *type) ++static const struct string_list *protocol_whitelist(void) + { +- struct string_list allowed = STRING_LIST_INIT_DUP; +- const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ static int enabled = -1; ++ static struct string_list allowed = STRING_LIST_INIT_DUP; ++ ++ if (enabled < 0) { ++ const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ if (v) { ++ string_list_split(&allowed, v, ':', -1); ++ string_list_sort(&allowed); ++ enabled = 1; ++ } else { ++ enabled = 0; ++ } ++ } ++ ++ return enabled ? &allowed : NULL; ++} + +- if (!v) +- return; ++int is_transport_allowed(const char *type) ++{ ++ const struct string_list *allowed = protocol_whitelist(); ++ return !allowed || string_list_has_string(allowed, type); ++} + +- string_list_split(&allowed, v, ':', -1); +- if (!unsorted_string_list_has_string(&allowed, type)) ++void transport_check_allowed(const char *type) ++{ ++ if (!is_transport_allowed(type)) + die("transport '%s' not allowed", type); +- string_list_clear(&allowed, 0); ++} ++ ++int transport_restrict_protocols(void) ++{ ++ return !!protocol_whitelist(); + } + + struct transport *transport_get(struct remote *remote, const char *url) +Index: git-2.5.0/transport.h +=================================================================== +--- git-2.5.0.orig/transport.h 2015-12-11 12:47:09.547784038 -0500 ++++ git-2.5.0/transport.h 2015-12-11 12:47:09.543784009 -0500 +@@ -134,12 +134,23 @@ + struct transport *transport_get(struct remote *, const char *); + + /* ++ * Check whether a transport is allowed by the environment. Type should ++ * generally be the URL scheme, as described in Documentation/git.txt ++ */ ++int is_transport_allowed(const char *type); ++ ++/* + * Check whether a transport is allowed by the environment, +- * and die otherwise. type should generally be the URL scheme, +- * as described in Documentation/git.txt ++ * and die otherwise. + */ + void transport_check_allowed(const char *type); + ++/* ++ * Returns true if the user has attempted to turn on protocol ++ * restrictions at all. ++ */ ++int transport_restrict_protocols(void); ++ + /* Transport options which apply to git:// and scp-style URLs */ + + /* The program to use on the remote side to send a pack */ |