diff options
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-5260.patch')
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-5260.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-5260.patch b/meta/recipes-devtools/git/git/CVE-2020-5260.patch new file mode 100644 index 0000000000..d03e701a8f --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-5260.patch @@ -0,0 +1,65 @@ +From 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b Mon Sep 17 00:00:00 2001 +From: Jeff King <peff@peff.net> +Date: Wed, 11 Mar 2020 17:53:41 -0400 +Subject: [PATCH] credential: avoid writing values with newlines + +The credential protocol that we use to speak to helpers can't represent +values with newlines in them. This was an intentional design choice to +keep the protocol simple, since none of the values we pass should +generally have newlines. + +However, if we _do_ encounter a newline in a value, we blindly transmit +it in credential_write(). Such values may break the protocol syntax, or +worse, inject new valid lines into the protocol stream. + +The most likely way for a newline to end up in a credential struct is by +decoding a URL with a percent-encoded newline. However, since the bug +occurs at the moment we write the value to the protocol, we'll catch it +there. That should leave no possibility of accidentally missing a code +path that can trigger the problem. + +At this level of the code we have little choice but to die(). However, +since we'd not ever expect to see this case outside of a malicious URL, +that's an acceptable outcome. + +Reported-by: Felix Wilhelm <fwilhelm@google.com> + +Upstream-Status: Backport +CVE: CVE-2020-5260 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + credential.c | 2 ++ + t/t0300-credentials.sh | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/credential.c b/credential.c +index 9747f47..00ee4d6 100644 +--- a/credential.c ++++ b/credential.c +@@ -194,6 +194,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value) + { + if (!value) + return; ++ if (strchr(value, '\n')) ++ die("credential value for %s contains newline", key); + fprintf(fp, "%s=%s\n", key, value); + } + +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index 03bd31e..15cc3c5 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -309,4 +309,10 @@ test_expect_success 'empty helper spec resets helper list' ' + EOF + ' + ++test_expect_success 'url parser rejects embedded newlines' ' ++ test_must_fail git credential fill <<-\EOF ++ url=https://one.example.com?%0ahost=two.example.com/ ++ EOF ++' ++ + test_done +-- +1.9.1 + |