diff options
author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-05-07 08:09:11 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-08 04:18:43 -1000 |
commit | 335ad8a6d795cd94b872370e44a033ce3fbf4890 (patch) | |
tree | d5b0a86f578056ee7c98b54c937c49cd8cea478f | |
parent | 1b55343b6346437b80b8a8180ae1bc9f480d92ef (diff) | |
download | openembedded-core-335ad8a6d795cd94b872370e44a033ce3fbf4890.tar.gz |
git: fix CVE-2023-25652
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2023-25652.patch | 94 | ||||
-rw-r--r-- | meta/recipes-devtools/git/git_2.35.7.bb | 1 |
2 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/meta/recipes-devtools/git/git/CVE-2023-25652.patch new file mode 100644 index 0000000000..825701eaff --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch @@ -0,0 +1,94 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <Johannes.Schindelin@gmx.de> +Date: Thu Mar 9 16:02:54 2023 +0100 +Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it + exists + + The `git apply --reject` is expected to write out `.rej` files in case + one or more hunks fail to apply cleanly. Historically, the command + overwrites any existing `.rej` files. The idea being that + apply/reject/edit cycles are relatively common, and the generated `.rej` + files are not considered precious. + + But the command does not overwrite existing `.rej` symbolic links, and + instead follows them. This is unsafe because the same patch could + potentially create such a symbolic link and point at arbitrary paths + outside the current worktree, and `git apply` would write the contents + of the `.rej` file into that location. + + Therefore, let's make sure that any existing `.rej` file or symbolic + link is removed before writing it. + + Reported-by: RyotaK <ryotak.mail@gmail.com> + Helped-by: Taylor Blau <me@ttaylorr.com> + Helped-by: Junio C Hamano <gitster@pobox.com> + Helped-by: Linus Torvalds <torvalds@linuxfoundation.org> + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +CVE: CVE-2023-25652 +Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/apply.c b/apply.c +index fc6f484..47f2686 100644 +--- a/apply.c ++++ b/apply.c +@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh +index 65ac7df..e95e6d4 100755 +--- a/t/t4115-apply-symlink.sh ++++ b/t/t4115-apply-symlink.sh +@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done +-- +2.40.0 diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb index 199ac950fa..99d3d70683 100644 --- a/meta/recipes-devtools/git/git_2.35.7.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb @@ -11,6 +11,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://fixsort.patch \ file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \ file://CVE-2023-29007.patch \ + file://CVE-2023-25652.patch \ " S = "${WORKDIR}/git-${PV}" |