From beabc5a77d272977ff061b1dee878fc31b121028 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 21 2020 07:59:19 +0000 Subject: import git-1.8.3.1-22.el7_8 --- diff --git a/SOURCES/git-cve-2020-5260.patch b/SOURCES/git-cve-2020-5260.patch new file mode 100644 index 0000000..b594ed2 --- /dev/null +++ b/SOURCES/git-cve-2020-5260.patch @@ -0,0 +1,26 @@ +diff -ur b/credential.c a/credential.c +--- b/credential.c 2020-04-14 14:15:41.637223958 +0200 ++++ a/credential.c 2020-04-14 14:59:03.325862182 +0200 +@@ -190,6 +190,8 @@ + { + if (!value) + return; ++ if (strchr(value, '\n')) ++ die("credential value for %s contains newline", key); + fprintf(fp, "%s=%s\n", key, value); + } + +diff -ur b/t/t0300-credentials.sh a/t/t0300-credentials.sh +--- b/t/t0300-credentials.sh 2020-04-14 14:15:41.569223126 +0200 ++++ a/t/t0300-credentials.sh 2020-04-14 15:00:01.331571252 +0200 +@@ -289,4 +289,10 @@ + EOF + ' + ++test_expect_success 'url parser rejects embedded newlines' ' ++ test_must_fail git credential fill <<-\EOF ++ url=https://one.example.com?%0ahost=two.example.com/ ++ EOF ++' ++ + test_done diff --git a/SPECS/git.spec b/SPECS/git.spec index 3693555..dcc0194 100644 --- a/SPECS/git.spec +++ b/SPECS/git.spec @@ -25,7 +25,7 @@ Name: git Version: 1.8.3.1 -Release: 21%{?dist} +Release: 22%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -69,6 +69,8 @@ Patch21: git-cve-2018-17456.patch Patch22: git-cve-2018-17456-tests.patch # https://repo.or.cz/git/debian.git/commit/392f99a5d2174e6124f829d034bac6755c33119d Patch23: git-cve-2019-1387.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1822020 +Patch24: git-cve-2020-5260.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -324,6 +326,7 @@ Requires: gnome-keyring %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 chmod a+x t/t0011-hashmap.sh t/t1307-config-blob.sh t/t4139-apply-escape.sh t/t7415-submodule-names.sh t/t7416-submodule-dash-url.sh t/t7417-submodule-path-url.sh @@ -640,6 +643,15 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu Apr 9 2020 Ondrej Pohorelsky - 1.8.3.1-22 +- Crafted URL containing new lines can cause credential leak +- Resolves: CVE-2020-5260 + +* Wed Dec 18 2019 Ondrej Pohorelsky - 1.8.3.1-21 +- Fix CVE-2019-1387: remote code execution in recursive clones with nested + submodules + Resolves: CVE-2019-1387 + * Fri Oct 19 2018 Pavel Cahyna - 1.8.3.1-20 - Fix CVE-2018-17456: arbitrary code execution via .gitmodules Thanks to Jonathan Nieder for backporting to 2.1.x