1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-16 03:47:03 +00:00

11 Commits

Author SHA1 Message Date
Hitendra Prajapati 1824a583fa git: fix CVE-2023-25652
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream-Status: Backport from https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

(From OE-Core rev: 6747482316b8f7839a09bf041d8c11b559f84b44)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-05-25 05:49:26 -10:00
Hitendra Prajapati 967c2d4145 git: fix CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

(From OE-Core rev: db4c152441aebe4c04a7bb7aceb88d8941a6576b)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-05-25 05:49:25 -10:00
Vijay Anusuri 8064d53745 git: Security fix for CVE-2023-22490 and CVE-2023-23946
Upstream-Status: Backport from
https://github.com/git/git/commit/58325b93c5b6212697b088371809e9948fee8052
&
https://github.com/git/git/commit/cf8f6ce02a13f4d1979a53241afbee15a293fce9
& https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c

(From OE-Core rev: 071fb3b177bcbdd02ae2c28aad97af681c091e42)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-04-14 05:44:12 -10:00
Vijay Anusuri 7b9f7437ed git: Security fix for CVE-2022-41903
Upstream-Status: Backport from https://github.com/git/git/commit/a244dc5b & https://github.com/git/git/commit/81dc898d &
			       https://github.com/git/git/commit/b49f309a & https://github.com/git/git/commit/f6e0b9f3 &
			       https://github.com/git/git/commit/1de69c0c & https://github.com/git/git/commit/48050c42 &
			       https://github.com/git/git/commit/522cc87f & https://github.com/git/git/commit/17d23e8a &
			       https://github.com/git/git/commit/937b71cc & https://github.com/git/git/commit/81c2d4c3 &
			       https://github.com/git/git/commit/f930a239 & https://github.com/git/git/commit/304a50ad

(From OE-Core rev: d591ac4dfeff7b69086a47c7e88a8127f1d31299)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-03-14 14:59:10 +00:00
Hitendra Prajapati 580df9b4c4 git: CVE-2022-23521 gitattributes parsing integer overflow
Backport from:

https://github.com/git/git/commit/eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24
https://github.com/git/git/commit/8d0d48cf2157cfb914db1f53b3fe40785b86f3aa
https://github.com/git/git/commit/24557209500e6ed618f04a8795a111a0c491a29c
https://github.com/git/git/commit/34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9
https://github.com/git/git/commit/447ac906e189535e77dcb1f4bbe3f1bc917d4c12
https://github.com/git/git/commit/e1e12e97ac73ded85f7d000da1063a774b3cc14f
https://github.com/git/git/commit/a60a66e409c265b2944f18bf43581c146812586d
https://github.com/git/git/commit/d74b1fd54fdbc45966d12ea907dece11e072fb2b
https://github.com/git/git/commit/dfa6b32b5e599d97448337ed4fc18dd50c90758f
https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579

(From OE-Core rev: 4f4baa56656291b259b9474a3637cf31f6569ff3)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-02-24 16:41:42 +00:00
Steve Sakoman b82a9877d5 git update from 2.24.3 to 2.24.4
Security release, fixes CVE-2021-21300, so remove that patch.

22539ec3b5 unpack_trees(): start with a fresh lstat cache
0d58fef58a run-command: invalidate lstat cache after a command finished
684dd4c2b4 checkout: fix bug that makes checkout follow symlinks in leading path

(From OE-Core rev: 8606d99041c3c1a002b2300c59afc116050c73cc)

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-04-22 23:39:12 +01:00
Minjae Kim e006c87e22 git: fix CVE-2021-40330
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character,
which may result in unexpected cross-protocol requests,
as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Upstream-Status: Backport [https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473]
CVE: CVE-2021-40330
(From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b)

Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2021-12-02 16:53:07 +00:00
Minjae Kim f0fdeea665 git: fix CVE-2021-21300
checkout: fix bug that makes checkout follow symlinks in leading path

Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592]
CVE: CVE-2021-21300
(From OE-Core rev: 8293d5d1529629bd13028bdde1fa99da30313bac)

Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2021-04-06 22:45:36 +01:00
Nitin A Kamble 542c93f90c git: upgrade from 1.7.4.3 to 1.7.5.1
the autotools patch is not needed anymore. The code which the patch was patching
is removed, and there is no use of the patch now.

(From OE-Core rev: 07c4246e107af50d6a9333445259b083f98ebdc0)

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2011-05-25 15:50:55 +01:00
Nitin A Kamble db182009ab git: upgrade from 1.7.3.4 to 1.7.4.3
(From OE-Core rev: 7e2c5d976d05c873ca949504e8c2416a34ac7f97)

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2011-04-24 22:50:34 +01:00
Richard Purdie 29d6678fd5 Major layout change to the packages directory
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.

The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.

Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.

Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
2010-08-27 15:29:45 +01:00