Re: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-25652

Tue, 13 Jun 2023 20:49:20 -0700 

Reminder,

Regards,
Archana
________________________________
From: openembedded-core@lists.openembedded.org 
<openembedded-core@lists.openembedded.org> on behalf of Polampalli, Archana via 
lists.openembedded.org <archana.polampalli=windriver....@lists.openembedded.org>
Sent: Tuesday, May 9, 2023 6:33 PM
To: openembedded-core@lists.openembedded.org 
<openembedded-core@lists.openembedded.org>
Cc: G Pillai, Hari <hari.gpil...@windriver.com>; Polampalli, Archana 
<archana.polampa...@windriver.com>
Subject: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-25652

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when 
applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch 
before
applying; avoid applying one that create a conflict where a link corresponding 
to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
---
 .../git/git/CVE-2023-25652.patch              | 94 +++++++++++++++++++
 meta/recipes-devtools/git/git_2.39.2.bb       |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch 
b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 0000000000..e8cedfcf27
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b  Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schinde...@gmx.de>
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+    The `git apply --reject` is expected to write out `.rej` files in case
+    one or more hunks fail to apply cleanly. Historically, the command
+    overwrites any existing `.rej` files. The idea being that
+    apply/reject/edit cycles are relatively common, and the generated `.rej`
+    files are not considered precious.
+
+    But the command does not overwrite existing `.rej` symbolic links, and
+    instead follows them. This is unsafe because the same patch could
+    potentially create such a symbolic link and point at arbitrary paths
+    outside the current worktree, and `git apply` would write the contents
+    of the `.rej` file into that location.
+
+    Therefore, let's make sure that any existing `.rej` file or symbolic
+    link is removed before writing it.
+
+    Reported-by: RyotaK <ryotak.m...@gmail.com>
+    Helped-by: Taylor Blau <m...@ttaylorr.com>
+    Helped-by: Junio C Hamano <gits...@pobox.com>
+    Helped-by: Linus Torvalds <torva...@linuxfoundation.org>
+    Signed-off-by: Johannes Schindelin <johannes.schinde...@gmx.de>
+
+CVE: CVE-2023-25652
+Upstream-Status: Backport 
[https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+
+Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
+---
+ apply.c                  | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index eec2da2..442cf28 100644
+--- a/apply.c
++++ b/apply.c
+@@ -4576,7 +4576,7 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+       FILE *rej;
+       char namebuf[PATH_MAX];
+       struct fragment *frag;
+-      int cnt = 0;
++      int fd, cnt = 0;
+       struct strbuf sb = STRBUF_INIT;
+
+       for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4616,7 +4616,17 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+       memcpy(namebuf, patch->new_name, cnt);
+       memcpy(namebuf + cnt, ".rej", 5);
+
+-      rej = fopen(namebuf, "w");
++      fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++      if (fd < 0) {
++              if (errno != EEXIST)
++                      return error_errno(_("cannot open %s"), namebuf);
++              if (unlink(namebuf))
++                      return error_errno(_("cannot unlink '%s'"), namebuf);
++              fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++              if (fd < 0)
++                      return error_errno(_("cannot open %s"), namebuf);
++      }
++      rej = fdopen(fd, "w");
+       if (!rej)
+               return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
++++ b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when 
deleting file' '
+       test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++      test_when_finished "git reset --hard && git clean -dfx" &&
++
++      test_commit file &&
++      echo modified >file.t &&
++      git diff -- file.t >patch &&
++      echo modified-again >file.t &&
++
++      ln -s foo file.t.rej &&
++      test_must_fail git apply patch --reject 2>err &&
++      test_i18ngrep "Rejected hunk" err &&
++      test_path_is_missing foo &&
++      test_path_is_file file.t.rej
++'
++
+ test_done
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.39.2.bb 
b/meta/recipes-devtools/git/git_2.39.2.bb
index 222e545f60..5865efada0 100644
--- a/meta/recipes-devtools/git/git_2.39.2.bb
+++ b/meta/recipes-devtools/git/git_2.39.2.bb
@@ -10,6 +10,7 @@ PROVIDES:append:class-native = " git-replacement-native"
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            file://fixsort.patch \
            
file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
+           file://CVE-2023-25652.patch \
            "

 S = "${WORKDIR}/git-${PV}"
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182730): 
https://lists.openembedded.org/g/openembedded-core/message/182730
Mute This Topic: https://lists.openembedded.org/mt/99521291/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • [oe-core][mickledore][PATCH... Polampalli, Archana via lists.openembedded.org
    • Re: [oe-core][mickledo... Polampalli, Archana via lists.openembedded.org

Reply via email to