diff --git a/0004-backport-CVE-2024-52005.patch b/0004-backport-CVE-2024-52005.patch new file mode 100644 index 0000000000000000000000000000000000000000..631fbbf51984a72e9c455df50f650d13366e4a78 --- /dev/null +++ b/0004-backport-CVE-2024-52005.patch @@ -0,0 +1,218 @@ +From 833c73801527b37d9bc725c81c6042ae350aaae3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= +Date: Fri, 28 Mar 2025 13:26:29 +0100 +Subject: [PATCH] Adds the option to sanitize sideband channel messages + +CVE-2024-52005 wasn't fixed by upstream. This patch adds the option +to harden Git against it. +The default behaviour of Git remains unchanged. + +Changes are taken from Git for Windows. The only differences are that +by default we are allowing all control characters, the documentation +reflects it and one of the tests has to be invoked with a config +change: `sideband.allowControlCharacters=color` + +These commits can also be seen in this upstream PR: +https://github.com/gitgitgadget/git/pull/1853 +--- + Documentation/config.txt | 2 + + Documentation/config/sideband.txt | 16 ++++++ + sideband.c | 78 ++++++++++++++++++++++++++++- + t/t5409-colorize-remote-messages.sh | 30 +++++++++++ + 4 files changed, 124 insertions(+), 2 deletions(-) + create mode 100644 Documentation/config/sideband.txt + +diff --git a/Documentation/config.txt b/Documentation/config.txt +index 8c0b3ed807..48870bb588 100644 +--- a/Documentation/config.txt ++++ b/Documentation/config.txt +@@ -522,6 +522,8 @@ include::config/sequencer.txt[] + + include::config/showbranch.txt[] + ++include::config/sideband.txt[] ++ + include::config/sparse.txt[] + + include::config/splitindex.txt[] +diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt +new file mode 100644 +index 0000000000..1adc831667 +--- /dev/null ++++ b/Documentation/config/sideband.txt +@@ -0,0 +1,16 @@ ++sideband.allowControlCharacters:: ++ By default, control characters that are delivered via the sideband ++ are NOT masked. Use this config setting to prevent potentially ++ unwanted ANSI escape sequences from being sent to the terminal: +++ ++-- ++ color:: ++ Allow ANSI color sequences, line feeds and horizontal tabs, ++ but mask all other control characters. ++ false:: ++ Mask all control characters other than line feeds and ++ horizontal tabs. ++ true:: ++ Allow all control characters to be sent to the terminal. ++ This is the default. ++-- +\ No newline at end of file +diff --git a/sideband.c b/sideband.c +index 02805573fa..7a0ca61948 100644 +--- a/sideband.c ++++ b/sideband.c +@@ -25,6 +25,12 @@ static struct keyword_entry keywords[] = { + { "error", GIT_COLOR_BOLD_RED }, + }; + ++static enum { ++ ALLOW_NO_CONTROL_CHARACTERS = 0, ++ ALLOW_ALL_CONTROL_CHARACTERS = 1, ++ ALLOW_ANSI_COLOR_SEQUENCES = 2 ++} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS; ++ + /* Returns a color setting (GIT_COLOR_NEVER, etc). */ + static int use_sideband_colors(void) + { +@@ -38,6 +44,25 @@ static int use_sideband_colors(void) + if (use_sideband_colors_cached >= 0) + return use_sideband_colors_cached; + ++ switch (git_config_get_maybe_bool("sideband.allowcontrolcharacters", &i)) { ++ case 0: /* Boolean value */ ++ allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS : ++ ALLOW_NO_CONTROL_CHARACTERS; ++ break; ++ case -1: /* non-Boolean value */ ++ if (git_config_get_string_tmp("sideband.allowcontrolcharacters", ++ &value)) ++ ; /* huh? `get_maybe_bool()` returned -1 */ ++ else if (!strcmp(value, "color")) ++ allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES; ++ else ++ warning(_("unrecognized value for `sideband." ++ "allowControlCharacters`: '%s'"), value); ++ break; ++ default: ++ break; /* not configured */ ++ } ++ + if (!git_config_get_string_tmp(key, &value)) + use_sideband_colors_cached = git_config_colorbool(key, value); + else if (!git_config_get_string_tmp("color.ui", &value)) +@@ -65,6 +90,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref + list_config_item(list, prefix, keywords[i].keyword); + } + ++static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n) ++{ ++ int i; ++ ++ /* ++ * Valid ANSI color sequences are of the form ++ * ++ * ESC [ [ [; ]*] m ++ */ ++ ++ if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES || ++ n < 3 || src[0] != '\x1b' || src[1] != '[') ++ return 0; ++ ++ for (i = 2; i < n; i++) { ++ if (src[i] == 'm') { ++ strbuf_add(dest, src, i + 1); ++ return i; ++ } ++ if (!isdigit(src[i]) && src[i] != ';') ++ break; ++ } ++ ++ return 0; ++} ++ ++static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n) ++{ ++ int i; ++ ++ if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) { ++ strbuf_add(dest, src, n); ++ return; ++ } ++ ++ strbuf_grow(dest, n); ++ for (; n && *src; src++, n--) { ++ if (!iscntrl(*src) || *src == '\t' || *src == '\n') ++ strbuf_addch(dest, *src); ++ else if ((i = handle_ansi_color_sequence(dest, src, n))) { ++ src += i; ++ n -= i; ++ } else { ++ strbuf_addch(dest, '^'); ++ strbuf_addch(dest, 0x40 + *src); ++ } ++ } ++} ++ + /* + * Optionally highlight one keyword in remote output if it appears at the start + * of the line. This should be called for a single line only, which is +@@ -80,7 +154,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n) + int i; + + if (!want_color_stderr(use_sideband_colors())) { +- strbuf_add(dest, src, n); ++ strbuf_add_sanitized(dest, src, n); + return; + } + +@@ -113,7 +187,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n) + } + } + +- strbuf_add(dest, src, n); ++ strbuf_add_sanitized(dest, src, n); + } + + +diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh +index 516b22fd96..48f8413eff 100755 +--- a/t/t5409-colorize-remote-messages.sh ++++ b/t/t5409-colorize-remote-messages.sh +@@ -99,4 +99,34 @@ test_expect_success 'fallback to color.ui' ' + grep "error: error" decoded + ' + ++test_expect_success 'disallow (color) control sequences in sideband' ' ++ write_script .git/color-me-surprised <<-\EOF && ++ printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2 ++ exec "$@" ++ EOF ++ test_config_global uploadPack.packObjectshook ./color-me-surprised && ++ test_commit need-at-least-one-commit && ++ git -c sideband.allowControlCharacters=color \ ++ clone --no-local . throw-away 2>stderr && ++ test_decode_color decoded && ++ test_grep RED decoded && ++ test_grep "\\^G" stderr && ++ tr -dc "\\007" actual && ++ test_must_be_empty actual && ++ ++ rm -rf throw-away && ++ git -c sideband.allowControlCharacters=false \ ++ clone --no-local . throw-away 2>stderr && ++ test_decode_color decoded && ++ test_grep ! RED decoded && ++ test_grep "\\^G" stderr && ++ ++ rm -rf throw-away && ++ git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr && ++ test_decode_color decoded && ++ test_grep RED decoded && ++ tr -dc "\\007" actual && ++ test_file_not_empty actual ++' ++ + test_done +-- +2.49.0 diff --git a/git.spec b/git.spec index 23ac7223628ca92adba849850375a41444be020f..3a9a631fa4d7e0da4705dfd5df3918997aebce27 100644 --- a/git.spec +++ b/git.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %bcond_without docs %bcond_with linkcheck @@ -44,6 +44,8 @@ Patch3: 0003-t-lib-git-svn-try-harder-to-find-a-port.patch Patch4: git-test-apache-davlockdbtype-config.patch #Upstream https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319 Patch5: 0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch +# https://github.com/gitgitgadget/git/pull/1853 +Patch6: 0004-backport-CVE-2024-52005.patch %if %{with docs} BuildRequires: /usr/bin/pod2man @@ -697,6 +699,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %changelog +* Thu Jul 10 2025 wenxin - 2.47.1-4 +- Add patch to fix CVE-2024-52005 + * Wed Jul 09 2025 yangjinlin01 - 2.47.1-3 - fix CVE-2025-48386