Re: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-29007
Reminder,
Regards,
archana
From: openembedded-core@lists.openembedded.org
on behalf of Polampalli, Archana via
lists.openembedded.org
Sent: Tuesday, May 9, 2023 6:44 PM
To: openembedded-core@lists.openembedded.org
Cc: G Pillai, Hari ; Polampalli, Archana
Subject: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can
used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`.
This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config`
when
attempting to remove the configuration section associated with that submodule.
When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote
code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid
running
`git submodule deinit` on untrusted repositories or without prior inspection of
any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a
Signed-off-by: Archana Polampalli
---
.../git/git/CVE-2023-29007.patch | 158 ++
meta/recipes-devtools/git/git_2.39.2.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch
diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch
b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 00..14b6933e96
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,158 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+ config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+ config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+ config: avoid fixed-sized buffer when renaming/deleting a section
+ t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau
+
+CVE: CVE-2023-29007
+Upstream-Status: Backport
[https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+
+Signed-off-by: Archana Polampalli
+---
+ config.c | 34 +++---
+ t/t1300-config.sh | 31 +++
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 27f3828..3c674a6 100644
+--- a/config.c
b/config.c
+@@ -3487,9 +3487,10 @@ void git_config_set_multivar(const char *key, const
char *value,
+ flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+- int i = 0, j = 0, dot = 0;
++ size_t i = 0, j = 0;
++ int dot = 0;
+ if (buf[i] != '[')
+ return 0;
+ for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3542,6 +3543,7 @@ static int section_name_is_ok(const char *name)
+ return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char
*config_filename,
+ const char *old_name,
+@@ -3551,11 +3553,12 @@ static int
git_config_copy_or_rename_section_in_file(const char *config_filename
+ char *filename_buf = NULL;
+ struct lock_file lock = LOCK_INIT;
+ int out_fd;
+- char buf[1024];
++ struct strbuf buf = STRBUF_INIT;
+ FILE *config_file = NULL;
+ struct stat st;
+ struct strbuf copystr = STRBUF_INIT;
+ struct config_store_data store;
++ uint32_t line_nr = 0;
+
+ memset(&store, 0, sizeof(store));
+
+@@ -3592,16 +3595,24 @@ static int
git_config_copy_or_rename_section_in_file(const
[oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can
used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`.
This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config`
when
attempting to remove the configuration section associated with that submodule.
When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote
code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid
running
`git submodule deinit` on untrusted repositories or without prior inspection of
any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a
Signed-off-by: Archana Polampalli
---
.../git/git/CVE-2023-29007.patch | 158 ++
meta/recipes-devtools/git/git_2.39.2.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch
diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch
b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 00..14b6933e96
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,158 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+ config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+ config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+ config: avoid fixed-sized buffer when renaming/deleting a section
+ t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau
+
+CVE: CVE-2023-29007
+Upstream-Status: Backport
[https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+
+Signed-off-by: Archana Polampalli
+---
+ config.c | 34 +++---
+ t/t1300-config.sh | 31 +++
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 27f3828..3c674a6 100644
+--- a/config.c
b/config.c
+@@ -3487,9 +3487,10 @@ void git_config_set_multivar(const char *key, const
char *value,
+ flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+- int i = 0, j = 0, dot = 0;
++ size_t i = 0, j = 0;
++ int dot = 0;
+ if (buf[i] != '[')
+ return 0;
+ for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3542,6 +3543,7 @@ static int section_name_is_ok(const char *name)
+ return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char
*config_filename,
+ const char *old_name,
+@@ -3551,11 +3553,12 @@ static int
git_config_copy_or_rename_section_in_file(const char *config_filename
+ char *filename_buf = NULL;
+ struct lock_file lock = LOCK_INIT;
+ int out_fd;
+- char buf[1024];
++ struct strbuf buf = STRBUF_INIT;
+ FILE *config_file = NULL;
+ struct stat st;
+ struct strbuf copystr = STRBUF_INIT;
+ struct config_store_data store;
++ uint32_t line_nr = 0;
+
+ memset(&store, 0, sizeof(store));
+
+@@ -3592,16 +3595,24 @@ static int
git_config_copy_or_rename_section_in_file(const char *config_filename
+ goto out;
+ }
+
+- while (fgets(buf, sizeof(buf), config_file)) {
+- unsigned i;
+- int length;
++ while (!strbuf_getwholeline(&buf, config_file, '\n')) {
++ size_t i, length;
+ int is_section = 0;
+- char *output = buf;
+- for (i = 0; buf[i] && isspace(buf[i]); i++)
++ char *outp
