From e4c3adbaae41147f921dde638b25911d1f5422e1 Mon Sep 17 00:00:00 2001 From: Li Zhou Date: Tue, 21 Apr 2020 16:18:04 +0800 Subject: git: Security Advisory - git - CVE-2020-5260 Backport patch from to solve CVE-2020-5260. Signed-off-by: Li Zhou Signed-off-by: Anuj Mittal --- meta/recipes-devtools/git/git.inc | 4 +- meta/recipes-devtools/git/git/CVE-2020-5260.patch | 65 +++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/git/git/CVE-2020-5260.patch diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 6e137432f0..176423e972 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -7,7 +7,9 @@ DEPENDS = "openssl curl zlib expat" PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ - ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" + ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ + file://CVE-2020-5260.patch \ + " S = "${WORKDIR}/git-${PV}" diff --git a/meta/recipes-devtools/git/git/CVE-2020-5260.patch b/meta/recipes-devtools/git/git/CVE-2020-5260.patch new file mode 100644 index 0000000000..d03e701a8f --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-5260.patch @@ -0,0 +1,65 @@ +From 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Wed, 11 Mar 2020 17:53:41 -0400 +Subject: [PATCH] credential: avoid writing values with newlines + +The credential protocol that we use to speak to helpers can't represent +values with newlines in them. This was an intentional design choice to +keep the protocol simple, since none of the values we pass should +generally have newlines. + +However, if we _do_ encounter a newline in a value, we blindly transmit +it in credential_write(). Such values may break the protocol syntax, or +worse, inject new valid lines into the protocol stream. + +The most likely way for a newline to end up in a credential struct is by +decoding a URL with a percent-encoded newline. However, since the bug +occurs at the moment we write the value to the protocol, we'll catch it +there. That should leave no possibility of accidentally missing a code +path that can trigger the problem. + +At this level of the code we have little choice but to die(). However, +since we'd not ever expect to see this case outside of a malicious URL, +that's an acceptable outcome. + +Reported-by: Felix Wilhelm + +Upstream-Status: Backport +CVE: CVE-2020-5260 +Signed-off-by: Li Zhou +--- + credential.c | 2 ++ + t/t0300-credentials.sh | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/credential.c b/credential.c +index 9747f47..00ee4d6 100644 +--- a/credential.c ++++ b/credential.c +@@ -194,6 +194,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value) + { + if (!value) + return; ++ if (strchr(value, '\n')) ++ die("credential value for %s contains newline", key); + fprintf(fp, "%s=%s\n", key, value); + } + +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index 03bd31e..15cc3c5 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -309,4 +309,10 @@ test_expect_success 'empty helper spec resets helper list' ' + EOF + ' + ++test_expect_success 'url parser rejects embedded newlines' ' ++ test_must_fail git credential fill <<-\EOF ++ url=https://one.example.com?%0ahost=two.example.com/ ++ EOF ++' ++ + test_done +-- +1.9.1 + -- cgit 1.2.3-korg