!15 fix CVE-2020-5260

Merge pull request !15 from Vchanger/master
2020-04-17 15:55:22 +08:00 · 2020-04-17 15:55:22 +08:00 · 2e0b71ce2b
commit 2e0b71ce2b
parent 106d08df45 e501be5aa2
2 changed files with 69 additions and 1 deletions
--- a/CVE-2020-5260.patch
+++ b/CVE-2020-5260.patch
@ -0,0 +1,61 @@
 From 10372307c11d0128c40d730418d3776f1a959ce3 Mon Sep 17 00:00:00 2001
 From: Jeff King <peff@peff.net>
 Date: Wed, 11 Mar 2020 17:53:41 -0400
 Subject: [PATCH] credential: avoid writing values with newlines
 The credential protocol that we use to speak to helpers can't represent
 values with newlines in them. This was an intentional design choice to
 keep the protocol simple, since none of the values we pass should
 generally have newlines.
 However, if we _do_ encounter a newline in a value, we blindly transmit
 it in credential_write(). Such values may break the protocol syntax, or
 worse, inject new valid lines into the protocol stream.
 The most likely way for a newline to end up in a credential struct is by
 decoding a URL with a percent-encoded newline. However, since the bug
 occurs at the moment we write the value to the protocol, we'll catch it
 there. That should leave no possibility of accidentally missing a code
 path that can trigger the problem.
 At this level of the code we have little choice but to die(). However,
 since we'd not ever expect to see this case outside of a malicious URL,
 that's an acceptable outcome.
 Reported-by: Felix Wilhelm <fwilhelm@google.com>
 ---
 credential.c           | 2 ++
 t/t0300-credentials.sh | 6 ++++++
 2 files changed, 8 insertions(+)
 diff --git a/credential.c b/credential.c
 index 62be651..a79aff0 100644
 --- a/credential.c
 +++ b/credential.c
@@ -195,6 +195,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
 {
 	if (!value)
 		return;
 +	if (strchr(value, '\n'))
 +		die("credential value for %s contains newline", key);
 	fprintf(fp, "%s=%s\n", key, value);
 }
 diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
 index 82eaaea..26f3c3a 100755
 --- a/t/t0300-credentials.sh
 +++ b/t/t0300-credentials.sh
@@ -308,4 +308,10 @@ test_expect_success 'empty helper spec resets helper list' '
 	EOF
 '
 +test_expect_success 'url parser rejects embedded newlines' '
 +	test_must_fail git credential fill <<-\EOF
 +	url=https://one.example.com?%0ahost=two.example.com/
 +	EOF
 +'
 +
 test_done
 -- 
 1.8.3.1
--- a/git.spec
+++ b/git.spec
@ -1,7 +1,7 @@
 %global gitexecdir          %{_libexecdir}/git-core
 Name:       git
 Version:    2.23.0
-Release:    14
+Release:    15
 Summary:    A popular and widely used Version Control System
 License:    GPLv2+ or LGPLv2.1
 URL:        https://git-scm.com/
@ -29,6 +29,7 @@ Patch13:    CVE-2019-19604.patch
 # skip updating the gpg preference during running the test
 # suite, so we add this patch to skip the updating of preference
 Patch14:    skip-updating-the-preference.patch
 Patch15:    CVE-2020-5260.patch
 BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre-devel desktop-file-utils
 BuildRequires: python3-devel perl-generators perl-interpreter perl-Error perl(Test::More) perl-MailTools perl(Test) gdb
@ -276,6 +277,12 @@ make test
 %{_mandir}/man7/git*.7.*
 %changelog
 * Fri Apr 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.23.0-15
 - Type:cves
 - ID:CVE-2020-5260
 - SUG:NA
 - DESC:fix CVE-2020-5260
 * Wed Apr 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.23.0-14
 - Type:bugfix
 - ID:NA