mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 03:47:03 +00:00
git: fix CVE-2021-40330
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. Upstream-Status: Backport [https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473] CVE: CVE-2021-40330 (From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b) Signed-off-by: Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
committed by
Richard Purdie
parent
1a5fb730ac
commit
e006c87e22
@@ -10,7 +10,9 @@ PROVIDES_append_class-native = " git-replacement-native"
|
||||
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
|
||||
${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
|
||||
file://CVE-2021-21300.patch \
|
||||
file://fixsort.patch"
|
||||
file://fixsort.patch \
|
||||
file://CVE-2021-40330.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git-${PV}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user