diff options
Diffstat (limited to 'poky/meta/recipes-devtools/git')
-rw-r--r-- | poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch | 94 | ||||
-rw-r--r-- | poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch | 162 | ||||
-rw-r--r-- | poky/meta/recipes-devtools/git/git_2.35.7.bb | 4 |
3 files changed, 260 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch new file mode 100644 index 0000000000..825701eaff --- /dev/null +++ b/poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch @@ -0,0 +1,94 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <Johannes.Schindelin@gmx.de> +Date: Thu Mar 9 16:02:54 2023 +0100 +Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it + exists + + The `git apply --reject` is expected to write out `.rej` files in case + one or more hunks fail to apply cleanly. Historically, the command + overwrites any existing `.rej` files. The idea being that + apply/reject/edit cycles are relatively common, and the generated `.rej` + files are not considered precious. + + But the command does not overwrite existing `.rej` symbolic links, and + instead follows them. This is unsafe because the same patch could + potentially create such a symbolic link and point at arbitrary paths + outside the current worktree, and `git apply` would write the contents + of the `.rej` file into that location. + + Therefore, let's make sure that any existing `.rej` file or symbolic + link is removed before writing it. + + Reported-by: RyotaK <ryotak.mail@gmail.com> + Helped-by: Taylor Blau <me@ttaylorr.com> + Helped-by: Junio C Hamano <gitster@pobox.com> + Helped-by: Linus Torvalds <torvalds@linuxfoundation.org> + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +CVE: CVE-2023-25652 +Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/apply.c b/apply.c +index fc6f484..47f2686 100644 +--- a/apply.c ++++ b/apply.c +@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh +index 65ac7df..e95e6d4 100755 +--- a/t/t4115-apply-symlink.sh ++++ b/t/t4115-apply-symlink.sh +@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch b/poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch new file mode 100644 index 0000000000..472f4022b2 --- /dev/null +++ b/poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch @@ -0,0 +1,162 @@ +From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001 +From: Taylor Blau <me@ttaylorr.com> +Date: Fri, 14 Apr 2023 11:46:59 -0400 +Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection' + +Avoids issues with renaming or deleting sections with long lines, where +configuration values may be interpreted as sections, leading to +configuration injection. Addresses CVE-2023-29007. + +* tb/config-copy-or-rename-in-file-injection: + config.c: disallow overly-long lines in `copy_or_rename_section_in_file()` + config.c: avoid integer truncation in `copy_or_rename_section_in_file()` + config: avoid fixed-sized buffer when renaming/deleting a section + t1300: demonstrate failure when renaming sections with long lines + +Signed-off-by: Taylor Blau <me@ttaylorr.com> + +Upstream-Status: Backport +CVE: CVE-2023-29007 + +Reference to upstream patch: +https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + config.c | 36 +++++++++++++++++++++++++----------- + t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 11 deletions(-) + +diff --git a/config.c b/config.c +index 2bffa8d..6a01938 100644 +--- a/config.c ++++ b/config.c +@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const char *value, + flags); + } + +-static int section_name_match (const char *buf, const char *name) ++static size_t section_name_match (const char *buf, const char *name) + { +- int i = 0, j = 0, dot = 0; ++ size_t i = 0, j = 0; ++ int dot = 0; + if (buf[i] != '[') + return 0; + for (i = 1; buf[i] && buf[i] != ']'; i++) { +@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name) + return 1; + } + ++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) ++ + /* if new_name == NULL, the section is removed instead */ + static int git_config_copy_or_rename_section_in_file(const char *config_filename, + const char *old_name, +@@ -3256,11 +3259,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + char *filename_buf = NULL; + struct lock_file lock = LOCK_INIT; + int out_fd; +- char buf[1024]; ++ struct strbuf buf = STRBUF_INIT; + FILE *config_file = NULL; + struct stat st; + struct strbuf copystr = STRBUF_INIT; + struct config_store_data store; ++ uint32_t line_nr = 0; + + memset(&store, 0, sizeof(store)); + +@@ -3297,16 +3301,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + goto out; + } + +- while (fgets(buf, sizeof(buf), config_file)) { +- unsigned i; +- int length; ++ while (!strbuf_getwholeline(&buf, config_file, '\n')) { ++ size_t i, length; + int is_section = 0; +- char *output = buf; +- for (i = 0; buf[i] && isspace(buf[i]); i++) ++ char *output = buf.buf; ++ ++ line_nr++; ++ ++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { ++ ret = error(_("refusing to work with overly long line " ++ "in '%s' on line %"PRIuMAX), ++ config_filename, (uintmax_t)line_nr); ++ goto out; ++ } ++ ++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ +- if (buf[i] == '[') { ++ if (buf.buf[i] == '[') { + /* it's a section */ +- int offset; ++ size_t offset; + is_section = 1; + + /* +@@ -3323,7 +3336,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + strbuf_reset(©str); + } + +- offset = section_name_match(&buf[i], old_name); ++ offset = section_name_match(&buf.buf[i], old_name); + if (offset > 0) { + ret++; + if (new_name == NULL) { +@@ -3398,6 +3411,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + out_no_rollback: + free(filename_buf); + config_store_data_clear(&store); ++ strbuf_release(&buf); + return ret; + } + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 78359f1..b07feb1 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -617,6 +617,36 @@ test_expect_success 'renaming to bogus section is rejected' ' + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + ++test_expect_success 'renaming a section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y b.e ++' ++ ++test_expect_success 'renaming an embedded section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] [foo] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y foo.e ++' ++ ++test_expect_success 'renaming a section with an overly-long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %525000s e" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ test_must_fail git config -f y --rename-section a xyz 2>err && ++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/git/git_2.35.7.bb b/poky/meta/recipes-devtools/git/git_2.35.7.bb index faf0b67051..9e7b0a8cff 100644 --- a/poky/meta/recipes-devtools/git/git_2.35.7.bb +++ b/poky/meta/recipes-devtools/git/git_2.35.7.bb @@ -10,6 +10,8 @@ PROVIDES:append:class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://fixsort.patch \ file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \ + file://CVE-2023-29007.patch \ + file://CVE-2023-25652.patch \ " S = "${WORKDIR}/git-${PV}" @@ -35,6 +37,8 @@ CVE_CHECK_IGNORE += "CVE-2022-24975" CVE_CHECK_IGNORE += "CVE-2022-41953" # specific to Git for Windows CVE_CHECK_IGNORE += "CVE-2023-22743" +# This is specific to Git-for-Windows +CVE_CHECK_IGNORE += "CVE-2023-25815" PACKAGECONFIG ??= "expat curl" PACKAGECONFIG[cvsserver] = "" |