diff --git a/CVE-2020-5260.patch b/CVE-2020-5260.patch new file mode 100644 index 0000000000000000000000000000000000000000..23e5f1e87839a64b11e8380af1922ce850d5051b --- /dev/null +++ b/CVE-2020-5260.patch @@ -0,0 +1,61 @@ +From 10372307c11d0128c40d730418d3776f1a959ce3 Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Wed, 11 Mar 2020 17:53:41 -0400 +Subject: [PATCH] credential: avoid writing values with newlines + +The credential protocol that we use to speak to helpers can't represent +values with newlines in them. This was an intentional design choice to +keep the protocol simple, since none of the values we pass should +generally have newlines. + +However, if we _do_ encounter a newline in a value, we blindly transmit +it in credential_write(). Such values may break the protocol syntax, or +worse, inject new valid lines into the protocol stream. + +The most likely way for a newline to end up in a credential struct is by +decoding a URL with a percent-encoded newline. However, since the bug +occurs at the moment we write the value to the protocol, we'll catch it +there. That should leave no possibility of accidentally missing a code +path that can trigger the problem. + +At this level of the code we have little choice but to die(). However, +since we'd not ever expect to see this case outside of a malicious URL, +that's an acceptable outcome. + +Reported-by: Felix Wilhelm +--- + credential.c | 2 ++ + t/t0300-credentials.sh | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/credential.c b/credential.c +index 62be651..a79aff0 100644 +--- a/credential.c ++++ b/credential.c +@@ -195,6 +195,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value) + { + if (!value) + return; ++ if (strchr(value, '\n')) ++ die("credential value for %s contains newline", key); + fprintf(fp, "%s=%s\n", key, value); + } + +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index 82eaaea..26f3c3a 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -308,4 +308,10 @@ test_expect_success 'empty helper spec resets helper list' ' + EOF + ' + ++test_expect_success 'url parser rejects embedded newlines' ' ++ test_must_fail git credential fill <<-\EOF ++ url=https://one.example.com?%0ahost=two.example.com/ ++ EOF ++' ++ + test_done +-- +1.8.3.1 + diff --git a/git.spec b/git.spec index 3aa60f8bb65918708908155ef541cfd1a9b33f0b..5efd84512274f17c7910bf92cdf4e6daa123b3d3 100644 --- a/git.spec +++ b/git.spec @@ -1,7 +1,7 @@ %global gitexecdir %{_libexecdir}/git-core Name: git Version: 2.23.0 -Release: 14 +Release: 15 Summary: A popular and widely used Version Control System License: GPLv2+ or LGPLv2.1 URL: https://git-scm.com/ @@ -29,6 +29,7 @@ Patch13: CVE-2019-19604.patch # skip updating the gpg preference during running the test # suite, so we add this patch to skip the updating of preference Patch14: skip-updating-the-preference.patch +Patch15: CVE-2020-5260.patch BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre-devel desktop-file-utils BuildRequires: python3-devel perl-generators perl-interpreter perl-Error perl(Test::More) perl-MailTools perl(Test) gdb @@ -276,6 +277,12 @@ make test %{_mandir}/man7/git*.7.* %changelog +* Fri Apr 17 2020 openEuler Buildteam - 2.23.0-15 +- Type:cves +- ID:CVE-2020-5260 +- SUG:NA +- DESC:fix CVE-2020-5260 + * Wed Apr 15 2020 openEuler Buildteam - 2.23.0-14 - Type:bugfix - ID:NA