On 4/21/20 1:18 AM, Li Zhou wrote: > Backport patch from <https://github.com/git/git/commit/ > 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b> to solve CVE-2020-5260.
Does this affect dunfell or master? > > Signed-off-by: Li Zhou <li.z...@windriver.com> > --- > meta/recipes-devtools/git/git.inc | 4 +- > meta/recipes-devtools/git/git/CVE-2020-5260.patch | 65 > +++++++++++++++++++++++ > 2 files changed, 68 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/git/git/CVE-2020-5260.patch > > diff --git a/meta/recipes-devtools/git/git.inc > b/meta/recipes-devtools/git/git.inc > index 6e13743..176423e 100644 > --- a/meta/recipes-devtools/git/git.inc > +++ b/meta/recipes-devtools/git/git.inc > @@ -7,7 +7,9 @@ DEPENDS = "openssl curl zlib expat" > PROVIDES_append_class-native = " git-replacement-native" > > SRC_URI = > "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ > - > ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" > + > ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ > + file://CVE-2020-5260.patch \ > + " > > S = "${WORKDIR}/git-${PV}" > > diff --git a/meta/recipes-devtools/git/git/CVE-2020-5260.patch > b/meta/recipes-devtools/git/git/CVE-2020-5260.patch > new file mode 100644 > index 0000000..d03e701 > --- /dev/null > +++ b/meta/recipes-devtools/git/git/CVE-2020-5260.patch > @@ -0,0 +1,65 @@ > +From 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b Mon Sep 17 00:00:00 2001 > +From: Jeff King <p...@peff.net> > +Date: Wed, 11 Mar 2020 17:53:41 -0400 > +Subject: [PATCH] credential: avoid writing values with newlines > + > +The credential protocol that we use to speak to helpers can't represent > +values with newlines in them. This was an intentional design choice to > +keep the protocol simple, since none of the values we pass should > +generally have newlines. > + > +However, if we _do_ encounter a newline in a value, we blindly transmit > +it in credential_write(). Such values may break the protocol syntax, or > +worse, inject new valid lines into the protocol stream. > + > +The most likely way for a newline to end up in a credential struct is by > +decoding a URL with a percent-encoded newline. However, since the bug > +occurs at the moment we write the value to the protocol, we'll catch it > +there. That should leave no possibility of accidentally missing a code > +path that can trigger the problem. > + > +At this level of the code we have little choice but to die(). However, > +since we'd not ever expect to see this case outside of a malicious URL, > +that's an acceptable outcome. > + > +Reported-by: Felix Wilhelm <fwilh...@google.com> > + > +Upstream-Status: Backport > +CVE: CVE-2020-5260 > +Signed-off-by: Li Zhou <li.z...@windriver.com> > +--- > + credential.c | 2 ++ > + t/t0300-credentials.sh | 6 ++++++ > + 2 files changed, 8 insertions(+) > + > +diff --git a/credential.c b/credential.c > +index 9747f47..00ee4d6 100644 > +--- a/credential.c > ++++ b/credential.c > +@@ -194,6 +194,8 @@ static void credential_write_item(FILE *fp, const char > *key, const char *value) > + { > + if (!value) > + return; > ++ if (strchr(value, '\n')) > ++ die("credential value for %s contains newline", key); > + fprintf(fp, "%s=%s\n", key, value); > + } > + > +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh > +index 03bd31e..15cc3c5 100755 > +--- a/t/t0300-credentials.sh > ++++ b/t/t0300-credentials.sh > +@@ -309,4 +309,10 @@ test_expect_success 'empty helper spec resets helper > list' ' > + EOF > + ' > + > ++test_expect_success 'url parser rejects embedded newlines' ' > ++ test_must_fail git credential fill <<-\EOF > ++ url=https://one.example.com?%0ahost=two.example.com/ > ++ EOF > ++' > ++ > + test_done > +-- > +1.9.1 > + > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#137343): https://lists.openembedded.org/g/openembedded-core/message/137343 Mute This Topic: https://lists.openembedded.org/mt/73168066/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-