mirror of
https://git.yoctoproject.org/poky
synced 2026-02-22 09:29:40 +01:00
d08e8d726d
CVE-2024-32002: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. CVE-2024-32004: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32020: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVE-2024-32021: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVE-2024-32465: Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. References: https://nvd.nist.gov/vuln/detail/CVE-2024-32002 https://nvd.nist.gov/vuln/detail/CVE-2024-32004 https://nvd.nist.gov/vuln/detail/CVE-2024-32020 https://nvd.nist.gov/vuln/detail/CVE-2024-32021 https://nvd.nist.gov/vuln/detail/CVE-2024-32465 (From OE-Core rev: 209c41377abf6853455b00af3923f1b244a3766b) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
188 lines
6.3 KiB
Diff
188 lines
6.3 KiB
Diff
From 17d3883fe9c88b823002ad9fafb42313ddc3d3d5 Mon Sep 17 00:00:00 2001
|
|
From: Johannes Schindelin <johannes.schindelin@gmx.de>
|
|
Date: Mon, 8 Aug 2022 13:27:47 +0000
|
|
Subject: [PATCH] setup: prepare for more detailed "dubious ownership" messages
|
|
|
|
When verifying the ownership of the Git directory, we sometimes would
|
|
like to say a bit more about it, e.g. when using a platform-dependent
|
|
code path (think: Windows has the permission model that is so different
|
|
from Unix'), but only when it is a appropriate to actually say
|
|
something.
|
|
|
|
To allow for that, collect that information and hand it back to the
|
|
caller (whose responsibility it is to show it or not).
|
|
|
|
Note: We do not actually fill in any platform-dependent information yet,
|
|
this commit just adds the infrastructure to be able to do so.
|
|
|
|
Based-on-an-idea-by: Junio C Hamano <gitster@pobox.com>
|
|
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
|
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
|
|
CVE: CVE-2024-32004
|
|
|
|
Upstream-Status: Backport [https://github.com/git/git/commit/17d3883fe9c88b823002ad9fafb42313ddc3d3d5]
|
|
|
|
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
|
|
---
|
|
compat/mingw.c | 2 +-
|
|
compat/mingw.h | 2 +-
|
|
git-compat-util.h | 5 ++++-
|
|
setup.c | 25 +++++++++++++++----------
|
|
4 files changed, 21 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/compat/mingw.c b/compat/mingw.c
|
|
index 41fc163..9306a0e 100644
|
|
--- a/compat/mingw.c
|
|
+++ b/compat/mingw.c
|
|
@@ -2658,7 +2658,7 @@ static PSID get_current_user_sid(void)
|
|
return result;
|
|
}
|
|
|
|
-int is_path_owned_by_current_sid(const char *path)
|
|
+int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
|
|
{
|
|
WCHAR wpath[MAX_PATH];
|
|
PSID sid = NULL;
|
|
diff --git a/compat/mingw.h b/compat/mingw.h
|
|
index ffa53a4..a1a69c5 100644
|
|
--- a/compat/mingw.h
|
|
+++ b/compat/mingw.h
|
|
@@ -457,7 +457,7 @@ char *mingw_query_user_email(void);
|
|
* Verifies that the specified path is owned by the user running the
|
|
* current process.
|
|
*/
|
|
-int is_path_owned_by_current_sid(const char *path);
|
|
+int is_path_owned_by_current_sid(const char *path, struct strbuf *report);
|
|
#define is_path_owned_by_current_user is_path_owned_by_current_sid
|
|
|
|
/**
|
|
diff --git a/git-compat-util.h b/git-compat-util.h
|
|
index 1c651c8..27b84b8 100644
|
|
--- a/git-compat-util.h
|
|
+++ b/git-compat-util.h
|
|
@@ -23,6 +23,9 @@
|
|
#include <crtdbg.h>
|
|
#endif
|
|
|
|
+struct strbuf;
|
|
+
|
|
+
|
|
#define _FILE_OFFSET_BITS 64
|
|
|
|
|
|
@@ -475,7 +478,7 @@ static inline void extract_id_from_env(const char *env, uid_t *id)
|
|
}
|
|
}
|
|
|
|
-static inline int is_path_owned_by_current_uid(const char *path)
|
|
+static inline int is_path_owned_by_current_uid(const char *path, struct strbuf *report)
|
|
{
|
|
struct stat st;
|
|
uid_t euid;
|
|
diff --git a/setup.c b/setup.c
|
|
index 8686ffe..1ad7330 100644
|
|
--- a/setup.c
|
|
+++ b/setup.c
|
|
@@ -1128,16 +1128,17 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
|
|
* added, for bare ones their git directory.
|
|
*/
|
|
static int ensure_valid_ownership(const char *gitfile,
|
|
- const char *worktree, const char *gitdir)
|
|
+ const char *worktree, const char *gitdir,
|
|
+ struct strbuf *report)
|
|
{
|
|
struct safe_directory_data data = {
|
|
.path = worktree ? worktree : gitdir
|
|
};
|
|
|
|
if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
|
|
- (!gitfile || is_path_owned_by_current_user(gitfile)) &&
|
|
- (!worktree || is_path_owned_by_current_user(worktree)) &&
|
|
- (!gitdir || is_path_owned_by_current_user(gitdir)))
|
|
+ (!gitfile || is_path_owned_by_current_user(gitfile, report)) &&
|
|
+ (!worktree || is_path_owned_by_current_user(worktree, report)) &&
|
|
+ (!gitdir || is_path_owned_by_current_user(gitdir, report)))
|
|
return 1;
|
|
|
|
/*
|
|
@@ -1177,6 +1178,7 @@ enum discovery_result {
|
|
*/
|
|
static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir,
|
|
struct strbuf *gitdir,
|
|
+ struct strbuf *report,
|
|
int die_on_error)
|
|
{
|
|
const char *env_ceiling_dirs = getenv(CEILING_DIRECTORIES_ENVIRONMENT);
|
|
@@ -1264,7 +1266,7 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir,
|
|
|
|
if (ensure_valid_ownership(gitfile,
|
|
dir->buf,
|
|
- (gitdir_path ? gitdir_path : gitdirenv))) {
|
|
+ (gitdir_path ? gitdir_path : gitdirenv), report)) {
|
|
strbuf_addstr(gitdir, gitdirenv);
|
|
ret = GIT_DIR_DISCOVERED;
|
|
} else
|
|
@@ -1287,7 +1289,7 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir,
|
|
}
|
|
|
|
if (is_git_directory(dir->buf)) {
|
|
- if (!ensure_valid_ownership(NULL, NULL, dir->buf))
|
|
+ if (!ensure_valid_ownership(NULL, NULL, dir->buf, report))
|
|
return GIT_DIR_INVALID_OWNERSHIP;
|
|
strbuf_addstr(gitdir, ".");
|
|
return GIT_DIR_BARE;
|
|
@@ -1320,7 +1322,7 @@ int discover_git_directory(struct strbuf *commondir,
|
|
return -1;
|
|
|
|
cwd_len = dir.len;
|
|
- if (setup_git_directory_gently_1(&dir, gitdir, 0) <= 0) {
|
|
+ if (setup_git_directory_gently_1(&dir, gitdir, NULL, 0) <= 0) {
|
|
strbuf_release(&dir);
|
|
return -1;
|
|
}
|
|
@@ -1367,7 +1369,7 @@ int discover_git_directory(struct strbuf *commondir,
|
|
const char *setup_git_directory_gently(int *nongit_ok)
|
|
{
|
|
static struct strbuf cwd = STRBUF_INIT;
|
|
- struct strbuf dir = STRBUF_INIT, gitdir = STRBUF_INIT;
|
|
+ struct strbuf dir = STRBUF_INIT, gitdir = STRBUF_INIT, report = STRBUF_INIT;
|
|
const char *prefix = NULL;
|
|
struct repository_format repo_fmt = REPOSITORY_FORMAT_INIT;
|
|
|
|
@@ -1392,7 +1394,7 @@ const char *setup_git_directory_gently(int *nongit_ok)
|
|
die_errno(_("Unable to read current working directory"));
|
|
strbuf_addbuf(&dir, &cwd);
|
|
|
|
- switch (setup_git_directory_gently_1(&dir, &gitdir, 1)) {
|
|
+ switch (setup_git_directory_gently_1(&dir, &gitdir, &report, 1)) {
|
|
case GIT_DIR_EXPLICIT:
|
|
prefix = setup_explicit_git_dir(gitdir.buf, &cwd, &repo_fmt, nongit_ok);
|
|
break;
|
|
@@ -1424,12 +1426,14 @@ const char *setup_git_directory_gently(int *nongit_ok)
|
|
if (!nongit_ok) {
|
|
struct strbuf quoted = STRBUF_INIT;
|
|
|
|
+ strbuf_complete(&report, '\n');
|
|
sq_quote_buf_pretty("ed, dir.buf);
|
|
die(_("detected dubious ownership in repository at '%s'\n"
|
|
+ "%s"
|
|
"To add an exception for this directory, call:\n"
|
|
"\n"
|
|
"\tgit config --global --add safe.directory %s"),
|
|
- dir.buf, quoted.buf);
|
|
+ dir.buf, report.buf, quoted.buf);
|
|
}
|
|
*nongit_ok = 1;
|
|
break;
|
|
@@ -1508,6 +1512,7 @@ const char *setup_git_directory_gently(int *nongit_ok)
|
|
|
|
strbuf_release(&dir);
|
|
strbuf_release(&gitdir);
|
|
+ strbuf_release(&report);
|
|
clear_repository_format(&repo_fmt);
|
|
|
|
return prefix;
|
|
--
|
|
2.40.0
|