mirror of
https://git.yoctoproject.org/poky
synced 2026-03-19 13:49:41 +01:00
git: fix CVE-2023-25652
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Upstream patches:
9db05711c9
(From OE-Core rev: 335ad8a6d795cd94b872370e44a033ce3fbf4890)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
committed by
Steve Sakoman
Steve Sakoman
parent
04316b4f47
commit
6d618c1b8b
94
meta/recipes-devtools/git/git/CVE-2023-25652.patch
Normal file
94
meta/recipes-devtools/git/git/CVE-2023-25652.patch
Normal file
@@ -0,0 +1,94 @@
|
||||
From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
|
||||
Date: Thu Mar 9 16:02:54 2023 +0100
|
||||
Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
|
||||
exists
|
||||
|
||||
The `git apply --reject` is expected to write out `.rej` files in case
|
||||
one or more hunks fail to apply cleanly. Historically, the command
|
||||
overwrites any existing `.rej` files. The idea being that
|
||||
apply/reject/edit cycles are relatively common, and the generated `.rej`
|
||||
files are not considered precious.
|
||||
|
||||
But the command does not overwrite existing `.rej` symbolic links, and
|
||||
instead follows them. This is unsafe because the same patch could
|
||||
potentially create such a symbolic link and point at arbitrary paths
|
||||
outside the current worktree, and `git apply` would write the contents
|
||||
of the `.rej` file into that location.
|
||||
|
||||
Therefore, let's make sure that any existing `.rej` file or symbolic
|
||||
link is removed before writing it.
|
||||
|
||||
Reported-by: RyotaK <ryotak.mail@gmail.com>
|
||||
Helped-by: Taylor Blau <me@ttaylorr.com>
|
||||
Helped-by: Junio C Hamano <gitster@pobox.com>
|
||||
Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
|
||||
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
||||
|
||||
CVE: CVE-2023-25652
|
||||
Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
|
||||
|
||||
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||
---
|
||||
apply.c | 14 ++++++++++++--
|
||||
t/t4115-apply-symlink.sh | 15 +++++++++++++++
|
||||
2 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/apply.c b/apply.c
|
||||
index fc6f484..47f2686 100644
|
||||
--- a/apply.c
|
||||
+++ b/apply.c
|
||||
@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
|
||||
FILE *rej;
|
||||
char namebuf[PATH_MAX];
|
||||
struct fragment *frag;
|
||||
- int cnt = 0;
|
||||
+ int fd, cnt = 0;
|
||||
struct strbuf sb = STRBUF_INIT;
|
||||
|
||||
for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
|
||||
@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
|
||||
memcpy(namebuf, patch->new_name, cnt);
|
||||
memcpy(namebuf + cnt, ".rej", 5);
|
||||
|
||||
- rej = fopen(namebuf, "w");
|
||||
+ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
|
||||
+ if (fd < 0) {
|
||||
+ if (errno != EEXIST)
|
||||
+ return error_errno(_("cannot open %s"), namebuf);
|
||||
+ if (unlink(namebuf))
|
||||
+ return error_errno(_("cannot unlink '%s'"), namebuf);
|
||||
+ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
|
||||
+ if (fd < 0)
|
||||
+ return error_errno(_("cannot open %s"), namebuf);
|
||||
+ }
|
||||
+ rej = fdopen(fd, "w");
|
||||
if (!rej)
|
||||
return error_errno(_("cannot open %s"), namebuf);
|
||||
|
||||
diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
|
||||
index 65ac7df..e95e6d4 100755
|
||||
--- a/t/t4115-apply-symlink.sh
|
||||
+++ b/t/t4115-apply-symlink.sh
|
||||
@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
|
||||
test_path_is_file .git/delete-me
|
||||
'
|
||||
|
||||
+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
|
||||
+ test_when_finished "git reset --hard && git clean -dfx" &&
|
||||
+
|
||||
+ test_commit file &&
|
||||
+ echo modified >file.t &&
|
||||
+ git diff -- file.t >patch &&
|
||||
+ echo modified-again >file.t &&
|
||||
+
|
||||
+ ln -s foo file.t.rej &&
|
||||
+ test_must_fail git apply patch --reject 2>err &&
|
||||
+ test_i18ngrep "Rejected hunk" err &&
|
||||
+ test_path_is_missing foo &&
|
||||
+ test_path_is_file file.t.rej
|
||||
+'
|
||||
+
|
||||
test_done
|
||||
--
|
||||
2.40.0
|
||||
@@ -11,6 +11,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
|
||||
file://fixsort.patch \
|
||||
file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
|
||||
file://CVE-2023-29007.patch \
|
||||
file://CVE-2023-25652.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git-${PV}"
|
||||
|
||||
Reference in New Issue
Block a user