mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-02 13:29:49 +00:00
Code Issues Projects Releases Wiki Activity

git: Security Advisory - git - CVE-2020-5260

Browse Source 
Backport patch from <https://github.com/git/git/commit/
9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b> to solve CVE-2020-5260.

(From OE-Core rev: e4c3adbaae41147f921dde638b25911d1f5422e1)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Li Zhou
2020-04-21 16:18:04 +08:00
committed by Richard Purdie
parent 9f70721b9a
commit cfcd63e044
2 changed files with 68 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/git/git.inc
+3 -1
View File
@@ -7,7 +7,9 @@ DEPENDS = "openssl curl zlib expat"
PROVIDES_append_class-native = " git-replacement-native" PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
file://CVE-2020-5260.patch \
"
S = "${WORKDIR}/git-${PV}" S = "${WORKDIR}/git-${PV}"
meta/recipes-devtools/git/git/CVE-2020-5260.patch
+65
View File
@@ -0,0 +1,65 @@
From 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Wed, 11 Mar 2020 17:53:41 -0400
Subject: [PATCH] credential: avoid writing values with newlines
The credential protocol that we use to speak to helpers can't represent
values with newlines in them. This was an intentional design choice to
keep the protocol simple, since none of the values we pass should
generally have newlines.
However, if we _do_ encounter a newline in a value, we blindly transmit
it in credential_write(). Such values may break the protocol syntax, or
worse, inject new valid lines into the protocol stream.
The most likely way for a newline to end up in a credential struct is by
decoding a URL with a percent-encoded newline. However, since the bug
occurs at the moment we write the value to the protocol, we'll catch it
there. That should leave no possibility of accidentally missing a code
path that can trigger the problem.
At this level of the code we have little choice but to die(). However,
since we'd not ever expect to see this case outside of a malicious URL,
that's an acceptable outcome.
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Upstream-Status: Backport
CVE: CVE-2020-5260
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
credential.c | 2 ++
t/t0300-credentials.sh | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/credential.c b/credential.c
index 9747f47..00ee4d6 100644
--- a/credential.c
+++ b/credential.c
@@ -194,6 +194,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
{
if (!value)
return;
+ if (strchr(value, '\n'))
+ die("credential value for %s contains newline", key);
fprintf(fp, "%s=%s\n", key, value);
}
diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
index 03bd31e..15cc3c5 100755
--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
@@ -309,4 +309,10 @@ test_expect_success 'empty helper spec resets helper list' '
EOF
'
+test_expect_success 'url parser rejects embedded newlines' '
+ test_must_fail git credential fill <<-\EOF
+ url=https://one.example.com?%0ahost=two.example.com/
+ EOF
+'
+
test_done
--
1.9.1