Hello community, here is the log from the commit of package git for openSUSE:Factory checked in at 2017-08-21 11:35:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/git (Old) and /work/SRC/openSUSE:Factory/.git.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git" Mon Aug 21 11:35:00 2017 rev:202 rq:515991 version:2.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/git/git.changes 2017-08-06 11:25:54.534575941 +0200 +++ /work/SRC/openSUSE:Factory/.git.new/git.changes 2017-08-21 11:35:03.278949855 +0200 @@ -1,0 +2,25 @@ +Thu Aug 10 19:19:07 UTC 2017 - [email protected] + +- git 2.14.1 (bsc#1052481): + * Security fix for CVE-2017-1000117: A malicious third-party can + give a crafted "ssh://..." URL to an unsuspecting victim, and + an attempt to visit the URL can result in any program that + exists on the victim's machine being executed. Such a URL could + be placed in the .gitmodules file of a malicious project, and + an unsuspecting victim could be tricked into running + "git clone --recurse-submodules" to trigger the vulnerability. + * A "ssh://..." URL can result in a "ssh" command line with a + hostname that begins with a dash "-", which would cause the + "ssh" command to instead (mis)treat it as an option. This is + now prevented by forbidding such a hostname (which should not + impact any real-world usage). + * Similarly, when GIT_PROXY_COMMAND is configured, the command + is run with host and port that are parsed out from "ssh://..." + URL; a poorly written GIT_PROXY_COMMAND could be tricked into + treating a string that begins with a dash "-" as an option. + This is now prevented by forbidding such a hostname and port + number (again, which should not impact any real-world usage). + * In the same spirit, a repository name that begins with a dash + "-" is also forbidden now. + +------------------------------------------------------------------- Old: ---- git-2.14.0.tar.sign git-2.14.0.tar.xz New: ---- git-2.14.1.tar.sign git-2.14.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.VzVGHq/_old 2017-08-21 11:35:04.370796300 +0200 +++ /var/tmp/diff_new_pack.VzVGHq/_new 2017-08-21 11:35:04.382794613 +0200 @@ -26,7 +26,7 @@ %endif Name: git -Version: 2.14.0 +Version: 2.14.1 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0 ++++++ git-2.14.0.tar.xz -> git-2.14.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.10.4.txt new/git-2.14.1/Documentation/RelNotes/2.10.4.txt --- old/git-2.14.0/Documentation/RelNotes/2.10.4.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.10.4.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.10.4 Release Notes +========================= + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.11.3.txt new/git-2.14.1/Documentation/RelNotes/2.11.3.txt --- old/git-2.14.0/Documentation/RelNotes/2.11.3.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.11.3.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.11.3 Release Notes +========================= + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.12.4.txt new/git-2.14.1/Documentation/RelNotes/2.12.4.txt --- old/git-2.14.0/Documentation/RelNotes/2.12.4.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.12.4.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.12.4 Release Notes +========================= + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.13.5.txt new/git-2.14.1/Documentation/RelNotes/2.13.5.txt --- old/git-2.14.0/Documentation/RelNotes/2.13.5.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.13.5.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.13.5 Release Notes +========================= + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.14.1.txt new/git-2.14.1/Documentation/RelNotes/2.14.1.txt --- old/git-2.14.0/Documentation/RelNotes/2.14.1.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.14.1.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.14.1 Release Notes +========================= + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.7.6.txt new/git-2.14.1/Documentation/RelNotes/2.7.6.txt --- old/git-2.14.0/Documentation/RelNotes/2.7.6.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.7.6.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,25 @@ +Git v2.7.6 Release Notes +======================== + +Fixes since v2.7.5 +------------------ + + * A "ssh://..." URL can result in a "ssh" command line with a + hostname that begins with a dash "-", which would cause the "ssh" + command to instead (mis)treat it as an option. This is now + prevented by forbidding such a hostname (which will not be + necessary in the real world). + + * Similarly, when GIT_PROXY_COMMAND is configured, the command is + run with host and port that are parsed out from "ssh://..." URL; + a poorly written GIT_PROXY_COMMAND could be tricked into treating + a string that begins with a dash "-". This is now prevented by + forbidding such a hostname and port number (again, which will not + be necessary in the real world). + + * In the same spirit, a repository name that begins with a dash "-" + is also forbidden now. + +Credits go to Brian Neel at GitLab, Joern Schneeweisz of Recurity +Labs and Jeff King at GitHub. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.8.6.txt new/git-2.14.1/Documentation/RelNotes/2.8.6.txt --- old/git-2.14.0/Documentation/RelNotes/2.8.6.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.8.6.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.8.6 Release Notes +======================== + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/Documentation/RelNotes/2.9.5.txt new/git-2.14.1/Documentation/RelNotes/2.9.5.txt --- old/git-2.14.0/Documentation/RelNotes/2.9.5.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.14.1/Documentation/RelNotes/2.9.5.txt 2017-08-09 21:54:31.000000000 +0200 @@ -0,0 +1,4 @@ +Git v2.9.5 Release Notes +======================== + +This release forward-ports the fix for "ssh://..." URL from Git v2.7.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/GIT-VERSION-GEN new/git-2.14.1/GIT-VERSION-GEN --- old/git-2.14.0/GIT-VERSION-GEN 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/GIT-VERSION-GEN 2017-08-09 21:54:31.000000000 +0200 @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.14.0 +DEF_VER=v2.14.1 LF=' ' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/RelNotes new/git-2.14.1/RelNotes --- old/git-2.14.0/RelNotes 2017-08-21 11:35:06.250531939 +0200 +++ new/git-2.14.1/RelNotes 2017-08-21 11:35:06.274528564 +0200 @@ -1 +1 @@ -symbolic link to Documentation/RelNotes/2.14.0.txt +symbolic link to Documentation/RelNotes/2.14.1.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/cache.h new/git-2.14.1/cache.h --- old/git-2.14.0/cache.h 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/cache.h 2017-08-09 21:54:31.000000000 +0200 @@ -1146,6 +1146,14 @@ int daemon_avoid_alias(const char *path); extern int is_ntfs_dotgit(const char *name); +/* + * Returns true iff "str" could be confused as a command-line option when + * passed to a sub-program like "ssh". Note that this has nothing to do with + * shell-quoting, which should be handled separately; we're assuming here that + * the string makes it verbatim to the sub-program. + */ +int looks_like_command_line_option(const char *str); + /** * Return a newly allocated string with the evaluation of * "$XDG_CONFIG_HOME/git/$filename" if $XDG_CONFIG_HOME is non-empty, otherwise diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/configure new/git-2.14.1/configure --- old/git-2.14.0/configure 2017-08-04 18:34:58.000000000 +0200 +++ new/git-2.14.1/configure 2017-08-09 21:54:31.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for git 2.14.0. +# Generated by GNU Autoconf 2.69 for git 2.14.1. # # Report bugs to <[email protected]>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='git' PACKAGE_TARNAME='git' -PACKAGE_VERSION='2.14.0' -PACKAGE_STRING='git 2.14.0' +PACKAGE_VERSION='2.14.1' +PACKAGE_STRING='git 2.14.1' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1254,7 +1254,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures git 2.14.0 to adapt to many kinds of systems. +\`configure' configures git 2.14.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1315,7 +1315,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of git 2.14.0:";; + short | recursive ) echo "Configuration of git 2.14.1:";; esac cat <<\_ACEOF @@ -1460,7 +1460,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -git configure 2.14.0 +git configure 2.14.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1940,7 +1940,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by git $as_me 2.14.0, which was +It was created by git $as_me 2.14.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -8236,7 +8236,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by git $as_me 2.14.0, which was +This file was extended by git $as_me 2.14.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8293,7 +8293,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -git config.status 2.14.0 +git config.status 2.14.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/connect.c new/git-2.14.1/connect.c --- old/git-2.14.0/connect.c 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/connect.c 2017-08-09 21:54:31.000000000 +0200 @@ -578,6 +578,11 @@ get_host_and_port(&host, &port); + if (looks_like_command_line_option(host)) + die("strange hostname '%s' blocked", host); + if (looks_like_command_line_option(port)) + die("strange port '%s' blocked", port); + proxy = xmalloc(sizeof(*proxy)); child_process_init(proxy); argv_array_push(&proxy->args, git_proxy_command); @@ -824,6 +829,9 @@ conn = xmalloc(sizeof(*conn)); child_process_init(conn); + if (looks_like_command_line_option(path)) + die("strange pathname '%s' blocked", path); + strbuf_addstr(&cmd, prog); strbuf_addch(&cmd, ' '); sq_quote_buf(&cmd, path); @@ -857,6 +865,9 @@ return NULL; } + if (looks_like_command_line_option(ssh_host)) + die("strange hostname '%s' blocked", ssh_host); + ssh = get_ssh_command(); if (ssh) handle_ssh_variant(ssh, 1, &port_option, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/path.c new/git-2.14.1/path.c --- old/git-2.14.0/path.c 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/path.c 2017-08-09 21:54:31.000000000 +0200 @@ -1321,6 +1321,11 @@ } } +int looks_like_command_line_option(const char *str) +{ + return str && str[0] == '-'; +} + char *xdg_config_home(const char *filename) { const char *home, *config_home; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/t/lib-proto-disable.sh new/git-2.14.1/t/lib-proto-disable.sh --- old/git-2.14.0/t/lib-proto-disable.sh 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/t/lib-proto-disable.sh 2017-08-09 21:54:31.000000000 +0200 @@ -147,29 +147,33 @@ # Test clone/fetch/push with protocol.allow user defined default test_expect_success "clone $desc (enabled)" ' rm -rf tmp.git && - git config --global protocol.allow always && + test_config_global protocol.allow always && git clone --bare "$url" tmp.git ' test_expect_success "fetch $desc (enabled)" ' + test_config_global protocol.allow always && git -C tmp.git fetch ' test_expect_success "push $desc (enabled)" ' + test_config_global protocol.allow always && git -C tmp.git push origin HEAD:pushed ' test_expect_success "push $desc (disabled)" ' - git config --global protocol.allow never && + test_config_global protocol.allow never && test_must_fail git -C tmp.git push origin HEAD:pushed ' test_expect_success "fetch $desc (disabled)" ' + test_config_global protocol.allow never && test_must_fail git -C tmp.git fetch ' test_expect_success "clone $desc (disabled)" ' rm -rf tmp.git && + test_config_global protocol.allow never && test_must_fail git clone --bare "$url" tmp.git ' } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/t/t5532-fetch-proxy.sh new/git-2.14.1/t/t5532-fetch-proxy.sh --- old/git-2.14.0/t/t5532-fetch-proxy.sh 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/t/t5532-fetch-proxy.sh 2017-08-09 21:54:31.000000000 +0200 @@ -43,4 +43,9 @@ test_cmp expect actual ' +test_expect_success 'funny hostnames are rejected before running proxy' ' + test_must_fail git fetch git://-remote/repo.git 2>stderr && + ! grep "proxying for" stderr +' + test_done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/t/t5810-proto-disable-local.sh new/git-2.14.1/t/t5810-proto-disable-local.sh --- old/git-2.14.0/t/t5810-proto-disable-local.sh 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/t/t5810-proto-disable-local.sh 2017-08-09 21:54:31.000000000 +0200 @@ -11,4 +11,27 @@ test_proto "file://" file "file://$PWD" test_proto "path" file . +test_expect_success 'setup repo with dash' ' + git init --bare repo.git && + git push repo.git HEAD && + mv repo.git "$PWD/-repo.git" +' + +# This will fail even without our rejection because upload-pack will +# complain about the bogus option. So let's make sure that GIT_TRACE +# doesn't show us even running upload-pack. +# +# We must also be sure to use "fetch" and not "clone" here, as the latter +# actually canonicalizes our input into an absolute path (which is fine +# to allow). +test_expect_success 'repo names starting with dash are rejected' ' + rm -f trace.out && + test_must_fail env GIT_TRACE="$PWD/trace.out" git fetch -- -repo.git && + ! grep upload-pack trace.out +' + +test_expect_success 'full paths still work' ' + git fetch "$PWD/-repo.git" +' + test_done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/t/t5813-proto-disable-ssh.sh new/git-2.14.1/t/t5813-proto-disable-ssh.sh --- old/git-2.14.0/t/t5813-proto-disable-ssh.sh 2017-08-04 18:34:57.000000000 +0200 +++ new/git-2.14.1/t/t5813-proto-disable-ssh.sh 2017-08-09 21:54:31.000000000 +0200 @@ -17,4 +17,27 @@ test_proto "ssh://" ssh "ssh://remote$PWD/remote/repo.git" test_proto "git+ssh://" ssh "git+ssh://remote$PWD/remote/repo.git" +# Don't even bother setting up a "-remote" directory, as ssh would generally +# complain about the bogus option rather than completing our request. Our +# fake wrapper actually _can_ handle this case, but it's more robust to +# simply confirm from its output that it did not run at all. +test_expect_success 'hostnames starting with dash are rejected' ' + test_must_fail git clone ssh://-remote/repo.git dash-host 2>stderr && + ! grep ^ssh: stderr +' + +test_expect_success 'setup repo with dash' ' + git init --bare remote/-repo.git && + git push remote/-repo.git HEAD +' + +test_expect_success 'repo names starting with dash are rejected' ' + test_must_fail git clone remote:-repo.git dash-path 2>stderr && + ! grep ^ssh: stderr +' + +test_expect_success 'full paths still work' ' + git clone "remote:$PWD/remote/-repo.git" dash-path +' + test_done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.14.0/version new/git-2.14.1/version --- old/git-2.14.0/version 2017-08-04 18:34:58.000000000 +0200 +++ new/git-2.14.1/version 2017-08-09 21:54:31.000000000 +0200 @@ -1 +1 @@ -2.14.0 +2.14.1
