summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2020-04-21 16:18:04 +0800
committerAnuj Mittal <anuj.mittal@intel.com>2020-04-28 10:18:09 +0800
commite4c3adbaae41147f921dde638b25911d1f5422e1 (patch)
tree4d0319d7ddc76612361696f92420922760ee354c
parent807d416cb8b01de4dbb96236653bb47447018ad0 (diff)
downloadopenembedded-core-contrib-e4c3adbaae41147f921dde638b25911d1f5422e1.tar.gz
openembedded-core-contrib-e4c3adbaae41147f921dde638b25911d1f5422e1.tar.bz2
openembedded-core-contrib-e4c3adbaae41147f921dde638b25911d1f5422e1.zip
git: Security Advisory - git - CVE-2020-5260
Backport patch from <https://github.com/git/git/commit/ 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b> to solve CVE-2020-5260. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-rw-r--r--meta/recipes-devtools/git/git.inc4
-rw-r--r--meta/recipes-devtools/git/git/CVE-2020-5260.patch65
2 files changed, 68 insertions, 1 deletions
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 6e137432f0..176423e972 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,9 @@ DEPENDS = "openssl curl zlib expat"
PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
- ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+ file://CVE-2020-5260.patch \
+ "
S = "${WORKDIR}/git-${PV}"
diff --git a/meta/recipes-devtools/git/git/CVE-2020-5260.patch b/meta/recipes-devtools/git/git/CVE-2020-5260.patch
new file mode 100644
index 0000000000..d03e701a8f
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-5260.patch
@@ -0,0 +1,65 @@
+From 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 11 Mar 2020 17:53:41 -0400
+Subject: [PATCH] credential: avoid writing values with newlines
+
+The credential protocol that we use to speak to helpers can't represent
+values with newlines in them. This was an intentional design choice to
+keep the protocol simple, since none of the values we pass should
+generally have newlines.
+
+However, if we _do_ encounter a newline in a value, we blindly transmit
+it in credential_write(). Such values may break the protocol syntax, or
+worse, inject new valid lines into the protocol stream.
+
+The most likely way for a newline to end up in a credential struct is by
+decoding a URL with a percent-encoded newline. However, since the bug
+occurs at the moment we write the value to the protocol, we'll catch it
+there. That should leave no possibility of accidentally missing a code
+path that can trigger the problem.
+
+At this level of the code we have little choice but to die(). However,
+since we'd not ever expect to see this case outside of a malicious URL,
+that's an acceptable outcome.
+
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-5260
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c | 2 ++
+ t/t0300-credentials.sh | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/credential.c b/credential.c
+index 9747f47..00ee4d6 100644
+--- a/credential.c
++++ b/credential.c
+@@ -194,6 +194,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
+ {
+ if (!value)
+ return;
++ if (strchr(value, '\n'))
++ die("credential value for %s contains newline", key);
+ fprintf(fp, "%s=%s\n", key, value);
+ }
+
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 03bd31e..15cc3c5 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -309,4 +309,10 @@ test_expect_success 'empty helper spec resets helper list' '
+ EOF
+ '
+
++test_expect_success 'url parser rejects embedded newlines' '
++ test_must_fail git credential fill <<-\EOF
++ url=https://one.example.com?%0ahost=two.example.com/
++ EOF
++'
++
+ test_done
+--
+1.9.1
+