Control: retitle -1 bookworm-pu: package python-git/3.1.30-1+deb12u2
A new CVE and fix popped up right after I filled this. The patch is also from upstream, and also has been shipped by the Debian LTS team.
diff --git a/debian/changelog b/debian/changelog index dfaadbc..7d8905e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,24 @@ +python-git (3.1.30-1+deb12u2) stable; urgency=high + + * Team upload. + * Fix CVE-2023-41040: Blind local file inclusion. + + -- Hans-Christoph Steiner <h...@eds.org> Fri, 29 Sep 2023 20:43:31 +0200 + +python-git (3.1.30-1+deb12u1) stable; urgency=medium + + [ Hans-Christoph Steiner ] + * Team upload. + * CVE-2023-40267: Include patch from Ubuntu (Closes: #1043503) + + [ Fabian Toepfer ] + * SECURITY UPDATE: RCE due to improper user input validation + - debian/patches/CVE-2023-40267.patch: Block insecure non-multi + options in clone/clone_from. + - CVE-2023-40267 + + -- Hans-Christoph Steiner <h...@eds.org> Fri, 29 Sep 2023 16:18:03 +0200 + python-git (3.1.30-1) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2023-40267.patch b/debian/patches/CVE-2023-40267.patch new file mode 100644 index 0000000..b733fb2 --- /dev/null +++ b/debian/patches/CVE-2023-40267.patch @@ -0,0 +1,60 @@ +From 5c59e0d63da6180db8a0b349f0ad36fef42aceed Mon Sep 17 00:00:00 2001 +From: Sylvain Beucler <b...@beuc.net> +Date: Mon, 10 Jul 2023 16:10:10 +0200 +Subject: [PATCH] Block insecure non-multi options in clone/clone_from + Follow-up to #1521 + +--- + git/repo/base.py | 2 ++ + test/test_repo.py | 24 +++++++++++++++++++++++- + 2 files changed, 25 insertions(+), 1 deletion(-) + +--- python-git-3.1.30.orig/git/repo/base.py ++++ python-git-3.1.30/git/repo/base.py +@@ -1188,6 +1188,8 @@ class Repo(object): + + if not allow_unsafe_protocols: + Git.check_unsafe_protocols(str(url)) ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=cls.unsafe_git_clone_options) + if not allow_unsafe_options and multi_options: + Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options) + +--- python-git-3.1.30.orig/test/test_repo.py ++++ python-git-3.1.30/test/test_repo.py +@@ -281,6 +281,17 @@ class TestRepo(TestBase): + rw_repo.clone(tmp_dir, multi_options=[unsafe_option]) + assert not tmp_file.exists() + ++ unsafe_options = [ ++ {"upload-pack": f"touch {tmp_file}"}, ++ {"u": f"touch {tmp_file}"}, ++ {"config": "protocol.ext.allow=always"}, ++ {"c": "protocol.ext.allow=always"}, ++ ] ++ for unsafe_option in unsafe_options: ++ with self.assertRaises(UnsafeOptionError): ++ rw_repo.clone(tmp_dir, **unsafe_option) ++ assert not tmp_file.exists() ++ + @with_rw_repo("HEAD") + def test_clone_unsafe_options_allowed(self, rw_repo): + tmp_dir = pathlib.Path(tempfile.mkdtemp()) +@@ -337,6 +348,17 @@ class TestRepo(TestBase): + Repo.clone_from(rw_repo.working_dir, tmp_dir, multi_options=[unsafe_option]) + assert not tmp_file.exists() + ++ unsafe_options = [ ++ {"upload-pack": f"touch {tmp_file}"}, ++ {"u": f"touch {tmp_file}"}, ++ {"config": "protocol.ext.allow=always"}, ++ {"c": "protocol.ext.allow=always"}, ++ ] ++ for unsafe_option in unsafe_options: ++ with self.assertRaises(UnsafeOptionError): ++ Repo.clone_from(rw_repo.working_dir, tmp_dir, **unsafe_option) ++ assert not tmp_file.exists() ++ + @with_rw_repo("HEAD") + def test_clone_from_unsafe_options_allowed(self, rw_repo): + tmp_dir = pathlib.Path(tempfile.mkdtemp()) diff --git a/debian/patches/CVE-2023-41040.patch b/debian/patches/CVE-2023-41040.patch new file mode 100644 index 0000000..2e194af --- /dev/null +++ b/debian/patches/CVE-2023-41040.patch @@ -0,0 +1,69 @@ +From: Facundo Tuesca <facundo.tue...@trailofbits.com> +Date: Tue, 5 Sep 2023 09:51:50 +0200 +Subject: Fix CVE-2023-41040 + +This change adds a check during reference resolving to see if it +contains an up-level reference ('..'). If it does, it raises an +exception. + +This fixes CVE-2023-41040, which allows an attacker to access files +outside the repository's directory. + +Origin: https://github.com/gitpython-developers/GitPython/commit/64ebb9fcdfbe48d5d61141a557691fd91f1e88d6 +Origin: https://github.com/gitpython-developers/GitPython/commit/65b8c6a2ccacdf26e751cd3bc3c5a7c9e5796b56 +Bug: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-41040 +--- + git/refs/symbolic.py | 2 ++ + git/test/test_refs.py | 15 +++++++++++++++ + 2 files changed, 17 insertions(+) + +--- a/git/refs/symbolic.py ++++ b/git/refs/symbolic.py +@@ -168,6 +168,8 @@ + """Return: (str(sha), str(target_ref_path)) if available, the sha the file at + rela_path points to, or None. target_ref_path is the reference we + point to, or None""" ++ if ".." in str(ref_path): ++ raise ValueError(f"Invalid reference '{ref_path}'") + tokens: Union[None, List[str], Tuple[str, str]] = None + repodir = _git_dir(repo, ref_path) + try: +--- a/test/test_refs.py ++++ b/test/test_refs.py +@@ -5,6 +5,7 @@ + # the BSD License: http://www.opensource.org/licenses/bsd-license.php + + from itertools import chain ++from pathlib import Path + + from git import ( + Reference, +@@ -19,9 +20,11 @@ + from git.objects.tag import TagObject + from test.lib import TestBase, with_rw_repo + from git.util import Actor ++from gitdb.exc import BadName + + import git.refs as refs + import os.path as osp ++import tempfile + + + class TestRefs(TestBase): +@@ -595,3 +598,15 @@ + + def test_reflog(self): + assert isinstance(self.rorepo.heads.master.log(), RefLog) ++ ++ def test_refs_outside_repo(self): ++ # Create a file containing a valid reference outside the repository. Attempting ++ # to access it should raise an exception, due to it containing a parent directory ++ # reference ('..'). This tests for CVE-2023-41040. ++ git_dir = Path(self.rorepo.git_dir) ++ repo_parent_dir = git_dir.parent.parent ++ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file: ++ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe") ++ ref_file.flush() ++ ref_file_name = Path(ref_file.name).name ++ self.assertRaises(BadName, self.rorepo.commit, "../../%s" % ref_file_name) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..1608dbe --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2023-40267.patch +CVE-2023-41040.patch