mirror of
https://git.yoctoproject.org/poky
synced 2026-02-21 00:49:41 +01:00
e271e3cf36
Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations
and full access to internals. When reading a config value, Git strips
any trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the CR
to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the altered
path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path
to the submodule hooks directory, and the submodule contains an
executable post-checkout hook, the script may be unintentionally
executed after checkout. This vulnerability is fixed in v2.43.7,
v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-48384
Upstream-patch:
05e9cd64ee
(From OE-Core rev: 34cb9674a5ce337a75af0dc415706d0323c427a6)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
86 lines
3.4 KiB
Diff
86 lines
3.4 KiB
Diff
From 05e9cd64ee23bbadcea6bcffd6660ed02b8eab89 Mon Sep 17 00:00:00 2001
|
|
From: Justin Tobler <jltobler@gmail.com>
|
|
Date: Mon, 19 May 2025 21:26:04 -0500
|
|
Subject: [PATCH] config: quote values containing CR character
|
|
|
|
When reading the config, values that contain a trailing CRLF are
|
|
stripped. If the value itself has a trailing CR, the normal LF that
|
|
follows results in the CR being unintentionally stripped. This may lead
|
|
to unintended behavior due to the config value written being different
|
|
when it gets read.
|
|
|
|
One such issue involves a repository with a submodule path containing a
|
|
trailing CR. When the submodule gets initialized, the submodule is
|
|
cloned without being checked out and has "core.worktree" set to the
|
|
submodule path. The git-checkout(1) that gets spawned later reads the
|
|
"core.worktree" config value, but without the trailing CR, and
|
|
consequently attempts to checkout to a different path than intended.
|
|
|
|
If the repository contains a matching path that is a symlink, it is
|
|
possible for the submodule repository to be checked out in arbitrary
|
|
locations. This is extra bad when the symlink points to the submodule
|
|
hooks directory and the submodule repository contains an executable
|
|
"post-checkout" hook. Once the submodule repository checkout completes,
|
|
the "post-checkout" hook immediately executes.
|
|
|
|
To prevent mismatched config state due to misinterpreting a trailing CR,
|
|
wrap config values containing CR in double quotes when writing the
|
|
entry. This ensures a trailing CR is always separated for an LF and thus
|
|
prevented from getting stripped.
|
|
|
|
Note that this problem cannot be addressed by just quoting each CR with
|
|
"\r". The reading side of the config interprets only a few backslash
|
|
escapes, and "\r" is not among them. This fix is sufficient though
|
|
because it only affects the CR at the end of a line and any literal CR
|
|
in the interior is already preserved.
|
|
|
|
Co-authored-by: David Leadbeater <dgl@dgl.cx>
|
|
Signed-off-by: Justin Tobler <jltobler@gmail.com>
|
|
Signed-off-by: Taylor Blau <me@ttaylorr.com>
|
|
|
|
CVE: CVE-2025-48384
|
|
|
|
Upstream-Status: Backport [https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89]
|
|
|
|
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
|
|
---
|
|
config.c | 2 +-
|
|
t/t1300-config.sh | 10 ++++++++++
|
|
2 files changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/config.c b/config.c
|
|
index 6a01938..4fbff51 100644
|
|
--- a/config.c
|
|
+++ b/config.c
|
|
@@ -2756,7 +2756,7 @@ static ssize_t write_pair(int fd, const char *key, const char *value,
|
|
if (value[0] == ' ')
|
|
quote = "\"";
|
|
for (i = 0; value[i]; i++)
|
|
- if (value[i] == ';' || value[i] == '#')
|
|
+ if (value[i] == ';' || value[i] == '#' || value[i] == '\r')
|
|
quote = "\"";
|
|
if (i && value[i - 1] == ' ')
|
|
quote = "\"";
|
|
diff --git a/t/t1300-config.sh b/t/t1300-config.sh
|
|
index b07feb1..49f4971 100755
|
|
--- a/t/t1300-config.sh
|
|
+++ b/t/t1300-config.sh
|
|
@@ -2417,5 +2417,15 @@ test_expect_success '--get and --get-all with --fixed-value' '
|
|
git config --file=config --get-regexp --fixed-value fixed+ "$META" &&
|
|
test_must_fail git config --file=config --get-regexp --fixed-value fixed+ non-existent
|
|
'
|
|
+test_expect_success 'writing value with trailing CR not stripped on read' '
|
|
+ test_when_finished "rm -rf cr-test" &&
|
|
+
|
|
+ printf "bar\r\n" >expect &&
|
|
+ git init cr-test &&
|
|
+ git -C cr-test config set core.foo $(printf "bar\r") &&
|
|
+ git -C cr-test config get core.foo >actual &&
|
|
+
|
|
+ test_cmp expect actual
|
|
+'
|
|
|
|
test_done
|
|
--
|
|
2.40.0
|