diff --git a/SOURCES/git-2.18.1-core-crypto-hmac.patch b/SOURCES/git-2.18.1-core-crypto-hmac.patch new file mode 100644 index 0000000..a1c8d7f --- /dev/null +++ b/SOURCES/git-2.18.1-core-crypto-hmac.patch @@ -0,0 +1,70 @@ +diff -ru git-2.18.1/builtin/receive-pack.c git-2.18.1_patched/builtin/receive-pack.c +--- git-2.18.1/builtin/receive-pack.c 2018-09-27 22:44:44.000000000 +0200 ++++ git-2.18.1_patched/builtin/receive-pack.c 2019-06-11 11:19:52.887797134 +0200 +@@ -26,6 +26,8 @@ + #include "oidset.h" + #include "packfile.h" + #include "protocol.h" ++#include ++#include + + static const char * const receive_pack_usage[] = { + N_("git receive-pack "), +@@ -419,43 +421,11 @@ + + #define HMAC_BLOCK_SIZE 64 + +-static void hmac_sha1(unsigned char *out, ++static inline void hmac_sha1(unsigned char *out, + const char *key_in, size_t key_len, + const char *text, size_t text_len) + { +- unsigned char key[HMAC_BLOCK_SIZE]; +- unsigned char k_ipad[HMAC_BLOCK_SIZE]; +- unsigned char k_opad[HMAC_BLOCK_SIZE]; +- int i; +- git_SHA_CTX ctx; +- +- /* RFC 2104 2. (1) */ +- memset(key, '\0', HMAC_BLOCK_SIZE); +- if (HMAC_BLOCK_SIZE < key_len) { +- git_SHA1_Init(&ctx); +- git_SHA1_Update(&ctx, key_in, key_len); +- git_SHA1_Final(key, &ctx); +- } else { +- memcpy(key, key_in, key_len); +- } +- +- /* RFC 2104 2. (2) & (5) */ +- for (i = 0; i < sizeof(key); i++) { +- k_ipad[i] = key[i] ^ 0x36; +- k_opad[i] = key[i] ^ 0x5c; +- } +- +- /* RFC 2104 2. (3) & (4) */ +- git_SHA1_Init(&ctx); +- git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad)); +- git_SHA1_Update(&ctx, text, text_len); +- git_SHA1_Final(out, &ctx); +- +- /* RFC 2104 2. (6) & (7) */ +- git_SHA1_Init(&ctx); +- git_SHA1_Update(&ctx, k_opad, sizeof(k_opad)); +- git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ); +- git_SHA1_Final(out, &ctx); ++ HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL); + } + + static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp) +diff -ru git-2.18.1/Makefile git-2.18.1_patched/Makefile +--- git-2.18.1/Makefile 2018-09-27 22:44:44.000000000 +0200 ++++ git-2.18.1_patched/Makefile 2019-06-10 17:28:26.137986964 +0200 +@@ -1721,6 +1721,8 @@ + BASIC_CFLAGS += -DHAVE_GETDELIM + endif + ++EXTLIBS += -lcrypto ++ + ifneq ($(PROCFS_EXECUTABLE_PATH),) + procfs_executable_path_SQ = $(subst ','\'',$(PROCFS_EXECUTABLE_PATH)) + BASIC_CFLAGS += '-DPROCFS_EXECUTABLE_PATH="$(procfs_executable_path_SQ)"' diff --git a/SPECS/git.spec b/SPECS/git.spec index 03b05d7..00698f8 100644 --- a/SPECS/git.spec +++ b/SPECS/git.spec @@ -103,7 +103,7 @@ Name: %{?scl_prefix}git Version: 2.18.1 -Release: 3%{?rcrev}%{?dist} +Release: 4%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -148,6 +148,8 @@ Patch5: 0001-config-document-value-2-for-protocol.version.patch # https://bugzilla.redhat.com/1653143 # https://github.com/git/git/commit/321fd82389.patch Patch7: 0001-run-command-mark-path-lookup-errors-with-ENOENT.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1619113 +Patch8: git-2.18.1-core-crypto-hmac.patch %if %{with docs} BuildRequires: asciidoc >= 8.4.1 @@ -492,6 +494,7 @@ cat << \EOF > config.mak V = 1 CFLAGS = %{optflags} LDFLAGS = %{__global_ldflags} +LIBS = ${LIBS} NEEDS_CRYPTO_WITH_SSL = 1 USE_LIBPCRE = 1 ETC_GITCONFIG = %{_sysconfdir}/gitconfig @@ -958,6 +961,10 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-instaweb.html} %changelog +* Tue Jun 11 2019 Marcel Plch - 2.18.1-4 +- Use HMAC from libcrypto instead of git's implementation +- Resolves: rhbz#1619113 + * Tue Dec 11 2018 Pavel Cahyna - 2.18.1-3 - apply upstream run-command PATH fix (CVE-2018-19486) - config: document value 2 for protocol.version (upstream patch)