diff options
Diffstat (limited to 'meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch')
| -rw-r--r-- | meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch new file mode 100644 index 0000000000..8912b6a48e --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_2.patch @@ -0,0 +1,113 @@ +From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001 +From: Jeff King <peff@peff.net> +Date: Wed, 16 Sep 2015 13:13:12 -0400 +Subject: [PATCH] submodule: allow only certain protocols for submodule fetches + +Some protocols (like git-remote-ext) can execute arbitrary +code found in the URL. The URLs that submodules use may come +from arbitrary sources (e.g., .gitmodules files in a remote +repository). Let's restrict submodules to fetching from a +known-good subset of protocols. + +Note that we apply this restriction to all submodule +commands, whether the URL comes from .gitmodules or not. +This is more restrictive than we need to be; for example, in +the tests we run: + + git submodule add ext::... + +which should be trusted, as the URL comes directly from the +command line provided by the user. But doing it this way is +simpler, and makes it much less likely that we would miss a +case. And since such protocols should be an exception +(especially because nobody who clones from them will be able +to update the submodules!), it's not likely to inconvenience +anyone in practice. + +Reported-by: Blake Burkhart <bburky@bburky.com> +Signed-off-by: Jeff King <peff@peff.net> +Signed-off-by: Junio C Hamano <gitster@pobox.com> + +Upstream-Status: Backport +https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/ +CVE: CVE-2015-7545 patch #1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + git-submodule.sh | 9 +++++++++ + t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + create mode 100755 t/t5815-submodule-protos.sh + +diff --git a/git-submodule.sh b/git-submodule.sh +index 36797c3..78c2740 100755 +--- a/git-submodule.sh ++++ b/git-submodule.sh +@@ -22,6 +22,15 @@ require_work_tree + wt_prefix=$(git rev-parse --show-prefix) + cd_to_toplevel + ++# Restrict ourselves to a vanilla subset of protocols; the URLs ++# we get are under control of a remote repository, and we do not ++# want them kicking off arbitrary git-remote-* programs. ++# ++# If the user has already specified a set of allowed protocols, ++# we assume they know what they're doing and use that instead. ++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} ++export GIT_ALLOW_PROTOCOL ++ + command= + branch= + force= +diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh +new file mode 100755 +index 0000000..06f55a1 +--- /dev/null ++++ b/t/t5815-submodule-protos.sh +@@ -0,0 +1,43 @@ ++#!/bin/sh ++ ++test_description='test protocol whitelisting with submodules' ++. ./test-lib.sh ++. "$TEST_DIRECTORY"/lib-proto-disable.sh ++ ++setup_ext_wrapper ++setup_ssh_wrapper ++ ++test_expect_success 'setup repository with submodules' ' ++ mkdir remote && ++ git init remote/repo.git && ++ (cd remote/repo.git && test_commit one) && ++ # submodule-add should probably trust what we feed it on the cmdline, ++ # but its implementation is overly conservative. ++ GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module && ++ GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module && ++ git commit -m "add submodules" ++' ++ ++test_expect_success 'clone with recurse-submodules fails' ' ++ test_must_fail git clone --recurse-submodules . dst ++' ++ ++test_expect_success 'setup individual updates' ' ++ rm -rf dst && ++ git clone . dst && ++ git -C dst submodule init ++' ++ ++test_expect_success 'update of ssh allowed' ' ++ git -C dst submodule update ssh-module ++' ++ ++test_expect_success 'update of ext not allowed' ' ++ test_must_fail git -C dst submodule update ext-module ++' ++ ++test_expect_success 'user can override whitelist' ' ++ GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module ++' ++ ++test_done +-- +2.3.5 + |