!15 fix CVE-2020-5260

Merge pull request !15 from Vchanger/master
2020-04-17 15:55:22 +08:00 · 2020-04-17 15:55:22 +08:00 · 2e0b71ce2b
commit 2e0b71ce2b
parent 106d08df45 e501be5aa2
2 changed files with 69 additions and 1 deletions
--- a/CVE-2020-5260.patch
+++ b/CVE-2020-5260.patch
@ -0,0 +1,61 @@
+From 10372307c11d0128c40d730418d3776f1a959ce3 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 11 Mar 2020 17:53:41 -0400
+Subject: [PATCH] credential: avoid writing values with newlines
+
+The credential protocol that we use to speak to helpers can't represent
+values with newlines in them. This was an intentional design choice to
+keep the protocol simple, since none of the values we pass should
+generally have newlines.
+
+However, if we _do_ encounter a newline in a value, we blindly transmit
+it in credential_write(). Such values may break the protocol syntax, or
+worse, inject new valid lines into the protocol stream.
+
+The most likely way for a newline to end up in a credential struct is by
+decoding a URL with a percent-encoded newline. However, since the bug
+occurs at the moment we write the value to the protocol, we'll catch it
+there. That should leave no possibility of accidentally missing a code
+path that can trigger the problem.
+
+At this level of the code we have little choice but to die(). However,
+since we'd not ever expect to see this case outside of a malicious URL,
+that's an acceptable outcome.
+
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+---
+ credential.c           | 2 ++
+ t/t0300-credentials.sh | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/credential.c b/credential.c
+index 62be651..a79aff0 100644
+--- a/credential.c
+++ b/credential.c
+@@ -195,6 +195,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
+ {
+ 	if (!value)
+ 		return;
+	if (strchr(value, '\n'))
+		die("credential value for %s contains newline", key);
+ 	fprintf(fp, "%s=%s\n", key, value);
+ }
+ 
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 82eaaea..26f3c3a 100755
+--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
+@@ -308,4 +308,10 @@ test_expect_success 'empty helper spec resets helper list' '
+ 	EOF
+ '
+ 
+test_expect_success 'url parser rejects embedded newlines' '
+	test_must_fail git credential fill <<-\EOF
+	url=https://one.example.com?%0ahost=two.example.com/
+	EOF
+'
+
+ test_done
+-- 
+1.8.3.1
+
--- a/git.spec
+++ b/git.spec
@ -1,7 +1,7 @@
 %global gitexecdir          %{_libexecdir}/git-core
 Name:       git
 Version:    2.23.0
-Release:    14
+Release:    15
 Summary:    A popular and widely used Version Control System
 License:    GPLv2+ or LGPLv2.1
 URL:        https://git-scm.com/
@ -29,6 +29,7 @@ Patch13:    CVE-2019-19604.patch
 # skip updating the gpg preference during running the test
 # suite, so we add this patch to skip the updating of preference
 Patch14:    skip-updating-the-preference.patch
+Patch15:    CVE-2020-5260.patch

 BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre-devel desktop-file-utils
 BuildRequires: python3-devel perl-generators perl-interpreter perl-Error perl(Test::More) perl-MailTools perl(Test) gdb
@ -276,6 +277,12 @@ make test
 %{_mandir}/man7/git*.7.*

 %changelog
+* Fri Apr 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.23.0-15
+- Type:cves
+- ID:CVE-2020-5260
+- SUG:NA
+- DESC:fix CVE-2020-5260
+
 * Wed Apr 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.23.0-14
 - Type:bugfix
 - ID:NA