diff options
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-1.patch')
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-11008-1.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch new file mode 100644 index 0000000000..9cf98ea7b4 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch @@ -0,0 +1,70 @@ +From 863f8067d8b4012904ca3bb881c659ac9894df97 Mon Sep 17 00:00:00 2001 +From: Li Zhou <li.zhou@windriver.com> +Date: Mon, 27 Apr 2020 14:36:03 +0800 +Subject: [PATCH 04/12] t0300: make "quit" helper more realistic + +We test a toy credential helper that writes "quit=1" and confirms that +we stop running other helpers. However, that helper is unrealistic in +that it does not bother to read its stdin at all. + +For now we don't send any input to it, because we feed git-credential a +blank credential. But that will change in the next patch, which will +cause this test to racily fail, as git-credential will get SIGPIPE +writing to the helper rather than exiting because it was asked to. + +Let's make this one-off helper more like our other sample helpers, and +have it source the "dump" script. That will read stdin, fixing the +SIGPIPE problem. But it will also write what it sees to stderr. We can +make the test more robust by checking that output, which confirms that +we do run the quit helper, don't run any other helpers, and exit for the +reason we expected. + +Signed-off-by: Jeff King <peff@peff.net> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> + +Upstream-Status: Backport +CVE: CVE-2020-11008 (1) +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + t/t0300-credentials.sh | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index b9c0f1f..0206b3b 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -22,6 +22,11 @@ test_expect_success 'setup helper scripts' ' + exit 0 + EOF + ++ write_script git-credential-quit <<-\EOF && ++ . ./dump ++ echo quit=1 ++ EOF ++ + write_script git-credential-verbatim <<-\EOF && + user=$1; shift + pass=$1; shift +@@ -291,10 +296,16 @@ test_expect_success 'http paths can be part of context' ' + + test_expect_success 'helpers can abort the process' ' + test_must_fail git \ +- -c credential.helper="!f() { echo quit=1; }; f" \ ++ -c credential.helper=quit \ + -c credential.helper="verbatim foo bar" \ +- credential fill >stdout && +- test_must_be_empty stdout ++ credential fill >stdout 2>stderr && ++ >expect && ++ test_cmp expect stdout && ++ cat >expect <<-\EOF && ++ quit: get ++ fatal: credential helper '\''quit'\'' told us to quit ++ EOF ++ test_i18ncmp expect stderr + ' + + test_expect_success 'empty helper spec resets helper list' ' +-- +1.9.1 + |