Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Upstream-Status: Backport from 9db05711c9
(From OE-Core rev: 6747482316b8f7839a09bf041d8c11b559f84b44)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
528290f8c629198213c9a5bb10fd5ee91cfe60853bb3d6bac5
(From OE-Core rev: db4c152441aebe4c04a7bb7aceb88d8941a6576b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Security release, fixes CVE-2021-21300, so remove that patch.
22539ec3b5 unpack_trees(): start with a fresh lstat cache
0d58fef58a run-command: invalidate lstat cache after a command finished
684dd4c2b4 checkout: fix bug that makes checkout follow symlinks in leading path
(From OE-Core rev: 8606d99041c3c1a002b2300c59afc116050c73cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.
(From OE-Core rev: f35500a442d6a4564d52e23f9602a3f90a4ceee5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character,
which may result in unexpected cross-protocol requests,
as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.
Upstream-Status: Backport [a02ea57717]
CVE: CVE-2021-40330
(From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
checkout: fix bug that makes checkout follow symlinks in leading path
Upstream-Status: Acepted [684dd4c2b4]
CVE: CVE-2021-21300
(From OE-Core rev: 8293d5d1529629bd13028bdde1fa99da30313bac)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: bd3352880322598b0ba6dc439ff08c2e4c592e36)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb05814335e7101bfd8df0a11dc18a044e867bed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes the fixes for CVE-2020-5260 and CVE-2020-11008.
(From OE-Core rev: 46da8ac6d25bb75c625c2da1d36cbc693a7d442d)
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On a system with selinux turned on, trying to access a directory
that is in a tree that doesn't exist returns the error permission
denined rather then no such file or directory, which causes git
to die.
git clone git://git.yoctoproject.org/poky
Cloning into 'poky'...
fatal: unable to access '/opt/poky/3.0+snapshot/sysroots/x86_64-pokysdk-linux/etc/gitconfig': Permission denied
Switch to using the system gitconfig of the host.
(From OE-Core rev: 5e44fb4dd106e3c4b9f072b25a93e54fa7bb1bce)
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some tools are not written in Perl anymore, so they should be in PN no PN-perltools.
(From OE-Core rev: 8a2e4dac4f5086fbfc094fb1f16e91108ee1b247)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Removed code for "${D}${exec_prefix}/lib/perl-native/perl" since there is no
such a directory now.
* Fixed perl related code.
(From OE-Core rev: 416a8c241aff0dca6b8b123e52cf8e2d40c74c8d)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add /usr/share/git-core/templates/hooks/fsmonitor-watchman.sample to PERLTOOLS to fix:
ERROR: git-2.16.1-r0 do_package_qa: QA Issue: /usr/share/git-core/templates/hooks/fsmonitor-watchman.sample contained in package git requires /usr/bin/perl, but no providers found in RDEPENDS_git? [file-rdeps]
ERROR: git-2.16.1-r0 do_package_qa: QA run found fatal errors. Please consider fixing them.
(From OE-Core rev: d8a93d75c75bf8df40f3e167eca2fcef4f76e240)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These git commands require Perl modules that do not exist in OE-Core.
Add PACKAGECONFIGs to enable them. Be aware though that if you enable
them you must also provide the missing dependencies.
(From OE-Core rev: d7909007b2a912ae5adf01edfabaa8b8646369cd)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove git-relink from PERLTOOLS:
git-2.13.2/Documentation/RelNotes/2.12.0.txt:
* An ancient script "git relink" has been removed.
(From OE-Core rev: f759420ad2a60d0be4ca15f4c9294086ecc86e59)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
(From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since commit set default libexecdir to $prefix/libexec
...
commit f35b2e29d9
Author: Ross Burton <ross.burton@intel.com>
Date: Tue Apr 30 20:35:54 2013 +0100
bitbake: set default libexecdir to $prefix/libexec
...
It casued '${D}${libdir}' does not exist, and the following
move operation incorrect which triggered QA Issue:
...
ERROR: git-2.7.0-r0 do_package: QA Issue: git: Files/directories were installed but not shipped in any package:
/usr/lib64
/usr/lib64/site_perl
/usr/lib64/site_perl/5.22.1
...
(From OE-Core rev: 2b82a475a7c8310f432b872e9d1e5eca262a03ee)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With the autodebug package generation logic, specifically setting FILES_${PN}-dbg
isn't needed in most cases, we can remove them.
(From OE-Core rev: 3ab59d49dd7c18e194b58d1248b4b87709b5a738)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
