mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-18 21:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

git: fix CVE-2021-40330

Browse Source 
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character,
which may result in unexpected cross-protocol requests,
as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Upstream-Status: Backport [a02ea57717]
CVE: CVE-2021-40330
(From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b)

Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Minjae Kim
2021-11-25 19:49:12 +09:00
committed by Richard Purdie
parent 1a5fb730ac
commit e006c87e22
2 changed files with 111 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
meta/recipes-devtools/git/git.inc
View File

@@ -10,7 +10,9 @@ PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
file://CVE-2021-21300.patch \
file://fixsort.patch"
file://fixsort.patch \
file://CVE-2021-40330.patch \
"
S = "${WORKDIR}/git-${PV}"