diff --git a/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch b/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch new file mode 100644 index 0000000..ccec896 --- /dev/null +++ b/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch @@ -0,0 +1,90 @@ +From 7dbd01e4815727ce46de0b5d6c2916fec9154196 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Mon, 5 Dec 2016 16:49:09 +0100 +Subject: [PATCH] http: control GSSAPI credential delegation + +Delegation of credentials is disabled by default in libcurl since +version 7.21.7 due to security vulnerability CVE-2011-2192. Which +makes troubles with GSS/kerberos authentication when delegation +of credentials is required. This can be changed with option +CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter +since libcurl version 7.22.0. + +This patch provides new configuration variable http.delegation +which corresponds to curl parameter "--delegation" (see man 1 curl). + +The following values are supported: + +* none (default). +* policy +* always +--- + http.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/http.c b/http.c +index a1c7dcb..e7c77c0 100644 +--- a/http.c ++++ b/http.c +@@ -66,6 +66,19 @@ static struct curl_slist *no_pragma_header; + + static struct active_request_slot *active_queue_head; + ++#if LIBCURL_VERSION_NUM >= 0x071600 ++static const char *curl_deleg; ++static struct { ++ const char *name; ++ long curl_deleg_param; ++} curl_deleg_levels[] = { ++ { "none", CURLGSSAPI_DELEGATION_NONE }, ++ { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG }, ++ { "always", CURLGSSAPI_DELEGATION_FLAG }, ++}; ++#endif ++ ++ + size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_) + { + size_t size = eltsize * nmemb; +@@ -169,6 +182,16 @@ static int http_options(const char *var, const char *value, void *cb) + curl_ssl_try = git_config_bool(var, value); + return 0; + } ++ ++ if (!strcmp("http.delegation", var)) { ++#if LIBCURL_VERSION_NUM >= 0x071600 ++ return git_config_string(&curl_deleg, var, value); ++#else ++ warning("Delegation control is not supported with cURL < 7.22.0"); ++ return 0; ++#endif ++ } ++ + if (!strcmp("http.minsessions", var)) { + min_curl_sessions = git_config_int(var, value); + #ifndef USE_CURL_MULTI +@@ -271,6 +294,21 @@ static CURL *get_curl_handle(void) + #ifdef LIBCURL_CAN_HANDLE_AUTH_ANY + curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); + #endif ++#if LIBCURL_VERSION_NUM >= 0x071600 ++ if (curl_deleg) { ++ int i; ++ for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) { ++ if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) { ++ curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION, ++ curl_deleg_levels[i].curl_deleg_param); ++ break; ++ } ++ } ++ if (i == ARRAY_SIZE(curl_deleg_levels)) ++ warning("Unknown delegation method '%s': using default", ++ curl_deleg); ++ } ++#endif + + if (http_proactive_auth) + init_curl_http_auth(result); +-- +2.5.5 + diff --git a/SOURCES/0007-git-prompt.patch b/SOURCES/0007-git-prompt.patch new file mode 100644 index 0000000..a179403 --- /dev/null +++ b/SOURCES/0007-git-prompt.patch @@ -0,0 +1,53 @@ +From 7e546ae76da784185ba9515ed86e435ba17fdd65 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 29 Mar 2017 13:08:28 +0200 +Subject: [PATCH] git-prompt.sh: don't put unsanitized branch names in $PS1 + +--- + contrib/completion/git-prompt.sh | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/contrib/completion/git-prompt.sh b/contrib/completion/git-prompt.sh +index eaf5c36..2c872e5 100644 +--- a/contrib/completion/git-prompt.sh ++++ b/contrib/completion/git-prompt.sh +@@ -360,8 +360,11 @@ __git_ps1 () + fi + + local f="$w$i$s$u" ++ b=${b##refs/heads/} + if [ $pcmode = yes ]; then + local gitstring= ++ __git_ps1_branch_name=$b ++ b="\${__git_ps1_branch_name}" + if [ -n "${GIT_PS1_SHOWCOLORHINTS-}" ]; then + local c_red='\e[31m' + local c_green='\e[32m' +@@ -371,7 +374,7 @@ __git_ps1 () + local ok_color=$c_green + local branch_color="$c_clear" + local flags_color="$c_lblue" +- local branchstring="$c${b##refs/heads/}" ++ local branchstring="$c$b" + + if [ $detached = no ]; then + branch_color="$ok_color" +@@ -400,13 +403,13 @@ __git_ps1 () + fi + gitstring="$gitstring\[$c_clear\]$r$p" + else +- gitstring="$c${b##refs/heads/}${f:+ $f}$r$p" ++ gitstring="$c$b${f:+ $f}$r$p" + fi + gitstring=$(printf -- "$printf_format" "$gitstring") + PS1="$ps1pc_start$gitstring$ps1pc_end" + else + # NO color option unless in PROMPT_COMMAND mode +- printf -- "$printf_format" "$c${b##refs/heads/}${f:+ $f}$r$p" ++ printf -- "$printf_format" "$c$b${f:+ $f}$r$p" + fi + fi + } +-- +2.5.5 + diff --git a/SOURCES/0008-Fix-CVE-2017-8386.patch b/SOURCES/0008-Fix-CVE-2017-8386.patch new file mode 100644 index 0000000..88b19e9 --- /dev/null +++ b/SOURCES/0008-Fix-CVE-2017-8386.patch @@ -0,0 +1,26 @@ +From 654dbd112ab7cbe0a162afaab645a971da62d433 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 17 May 2017 11:37:01 +0200 +Subject: [PATCH] Fix CVE-2017-8386 + +See the commit 3ec804490 in upstream repository for more info. +--- + shell.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shell.c b/shell.c +index 1429870..72ed0fa 100644 +--- a/shell.c ++++ b/shell.c +@@ -13,7 +13,7 @@ static int do_generic_cmd(const char *me, char *arg) + const char *my_argv[4]; + + setup_path(); +- if (!arg || !(arg = sq_dequote(arg))) ++ if (!arg || !(arg = sq_dequote(arg)) || *arg == '-') + die("bad argument"); + if (prefixcmp(me, "git-")) + die("bad command"); +-- +2.9.4 + diff --git a/SPECS/git.spec b/SPECS/git.spec index 4488665..1c5d51d 100644 --- a/SPECS/git.spec +++ b/SPECS/git.spec @@ -51,7 +51,7 @@ Name: git Version: 1.8.3.1 -Release: 6%{?dist}.1 +Release: 11%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -83,8 +83,12 @@ Patch9: 0003-transport-refactor-protocol-whitelist-code.patch Patch10: 0004-http-limit-redirection-to-protocol-whitelist.patch Patch11: 0005-http-limit-redirection-depth.patch -#CVE +Patch13: 0001-http-control-GSSAPI-credential-delegation.patch + +# CVE Patch12: 0001-Fix-CVE-2016-2315-CVE-2016-2324.patch +Patch14: 0007-git-prompt.patch +Patch15: 0008-Fix-CVE-2017-8386.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -334,6 +338,9 @@ Requires: emacs-git = %{version}-%{release} %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 %if %{use_prebuilt_docs} mkdir -p prebuilt_docs/{html,man} @@ -659,9 +666,26 @@ rm -rf %{buildroot} # No files for you! %changelog -* Fri Mar 18 2016 Petr Stodulka - 1.8.3.1-6.1 +* Wed May 17 2017 Petr Stodulka - 1.8.3.1-11 +- dissalow repo names beginning with dash + Resolves: CVE-2017-8386 + +* Wed Mar 29 2017 Petr Stodulka -1.8.3.1-10 +- do not put unsanitized branch names in $PS1 + Resolves: CVE-2014-9938 + +* Fri Feb 24 2017 Petr Stodulka -1.8.3.1-9 +- add control of GSSAPI credential delegation to enable HTTP(S)-SSO + authentication + Resolves: #1369173 + +* Sat Mar 19 2016 Petr Stodulka - 1.8.3.1-8 +- remove needles check of xmalloc from previous patch + Resolves: #1318255 + +* Fri Mar 18 2016 Petr Stodulka - 1.8.3.1-7 - fix heap overflow CVE-2016-2315 CVE-2016-2324 - Resolves: #1318254 + Resolves: #1318255 * Wed Oct 28 2015 Petr Stodulka - 1.8.3.1-6 - fix arbitrary code execution via crafted URLs