diff --git a/SOURCES/git-cve-2017-1000117.patch b/SOURCES/git-cve-2017-1000117.patch new file mode 100644 index 0000000..ccdfa9c --- /dev/null +++ b/SOURCES/git-cve-2017-1000117.patch @@ -0,0 +1,85 @@ +diff --git a/cache.h b/cache.h +index 94ca1ac..2ab9ffd 100644 +--- a/cache.h ++++ b/cache.h +@@ -744,6 +744,14 @@ char *strip_path_suffix(const char *path, const char *suffix); + int daemon_avoid_alias(const char *path); + int offset_1st_component(const char *path); + ++/* ++ * Returns true iff "str" could be confused as a command-line option when ++ * passed to a sub-program like "ssh". Note that this has nothing to do with ++ * shell-quoting, which should be handled separately; we're assuming here that ++ * the string makes it verbatim to the sub-program. ++ */ ++int looks_like_command_line_option(const char *str); ++ + /* object replacement */ + #define READ_SHA1_FILE_REPLACE 1 + extern void *read_sha1_file_extended(const unsigned char *sha1, enum object_type *type, unsigned long *size, unsigned flag); +diff --git a/connect.c b/connect.c +index 6d4ea13..970f565 100644 +--- a/connect.c ++++ b/connect.c +@@ -450,6 +450,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host) + + get_host_and_port(&host, &port); + ++ if (looks_like_command_line_option(host)) ++ die("strange hostname '%s' blocked", host); ++ if (looks_like_command_line_option(port)) ++ die("strange port '%s' blocked", port); ++ + argv = xmalloc(sizeof(*argv) * 4); + argv[0] = git_proxy_command; + argv[1] = host; +@@ -613,6 +618,10 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + + conn = xcalloc(1, sizeof(*conn)); + ++ if (looks_like_command_line_option(path)) ++ die("strange pathname '%s' blocked", path); ++ ++ + strbuf_init(&cmd, MAX_CMD_LEN); + strbuf_addstr(&cmd, prog); + strbuf_addch(&cmd, ' '); +@@ -626,6 +635,10 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + const char *ssh = getenv("GIT_SSH"); + int putty = ssh && strcasestr(ssh, "plink"); + transport_check_allowed("ssh"); ++ if (looks_like_command_line_option(host)) ++ die("strange hostname '%s' blocked", host); ++ ++ + if (!ssh) ssh = "ssh"; + + *arg++ = ssh; +diff --git a/path.c b/path.c +index 04ff148..713d79b 100644 +--- a/path.c ++++ b/path.c +@@ -701,3 +701,9 @@ int offset_1st_component(const char *path) + return 2 + is_dir_sep(path[2]); + return is_dir_sep(path[0]); + } ++ ++int looks_like_command_line_option(const char *str) ++{ ++ return str && str[0] == '-'; ++} ++ +diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh +index 5531bd1..d3b2651 100755 +--- a/t/t5532-fetch-proxy.sh ++++ b/t/t5532-fetch-proxy.sh +@@ -40,4 +40,9 @@ test_expect_success 'fetch through proxy works' ' + test_cmp expect actual + ' + ++test_expect_success 'funny hostnames are rejected before running proxy' ' ++ test_must_fail git fetch git://-remote/repo.git 2>stderr && ++ ! grep "proxying for" stderr ++' ++ + test_done diff --git a/SPECS/git.spec b/SPECS/git.spec index 1c5d51d..b63df43 100644 --- a/SPECS/git.spec +++ b/SPECS/git.spec @@ -51,7 +51,7 @@ Name: git Version: 1.8.3.1 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -89,6 +89,7 @@ Patch13: 0001-http-control-GSSAPI-credential-delegation.patch Patch12: 0001-Fix-CVE-2016-2315-CVE-2016-2324.patch Patch14: 0007-git-prompt.patch Patch15: 0008-Fix-CVE-2017-8386.patch +Patch16: git-cve-2017-1000117.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -341,6 +342,7 @@ Requires: emacs-git = %{version}-%{release} %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %if %{use_prebuilt_docs} mkdir -p prebuilt_docs/{html,man} @@ -666,6 +668,10 @@ rm -rf %{buildroot} # No files for you! %changelog +* Fri Aug 11 2017 Petr Stodulka - 1.8.3.1-12 +- prevent command injection via malicious ssh URLs + Resolves: CVE-2017-1000117 + * Wed May 17 2017 Petr Stodulka - 1.8.3.1-11 - dissalow repo names beginning with dash Resolves: CVE-2017-8386