From ef8e995e19313504af00c2939abfe69cddcf7217 Mon Sep 17 00:00:00 2001 From: Ondrej Oprala Date: Fri, 11 Jul 2014 13:27:10 +0200 Subject: [PATCH 01/11] 2.0.1 --- git.spec | 7 +++++-- sources | 6 +++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/git.spec b/git.spec index 90bf583..372b789 100644 --- a/git.spec +++ b/git.spec @@ -43,8 +43,8 @@ %endif Name: git -Version: 2.0.0 -Release: 4%{?dist} +Version: 2.0.1 +Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -633,6 +633,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Fri Jul 11 2014 Ondrej Oprala - 2.0.0-4 - Change source URLs, as googlecode doesn't have up-to-date tarballs diff --git a/sources b/sources index 4804aac..81cbd0c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -a461ea86f5d655e449a3356ac7eb71ec git-2.0.0.tar.gz -da88525f56a76b2e5b7249361eaf7073 git-htmldocs-2.0.0.tar.gz -0285283ceff06249c249fad8e77860d4 git-manpages-2.0.0.tar.gz +981f5937840716cb563be1cc6292c8d7 git-2.0.1.tar.gz +e7d89f0d6c1eedf2e1a477abcab693fa git-htmldocs-2.0.1.tar.gz +b36a03d806207ebd38913fcc4e8053a6 git-manpages-2.0.1.tar.gz From 07865e844f8eea59936c8a004e18f569cb9f1909 Mon Sep 17 00:00:00 2001 From: Ondrej Oprala Date: Mon, 28 Jul 2014 11:13:04 +0200 Subject: [PATCH 02/11] 2.0.3 --- git.spec | 5 ++++- sources | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/git.spec b/git.spec index 372b789..3250671 100644 --- a/git.spec +++ b/git.spec @@ -43,7 +43,7 @@ %endif Name: git -Version: 2.0.1 +Version: 2.0.3 Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 @@ -633,6 +633,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Mon Jul 28 2014 Ondrej Oprala Date: Thu, 31 Jul 2014 08:23:28 +0200 Subject: [PATCH 03/11] 2.0.4 --- git.spec | 5 ++++- sources | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/git.spec b/git.spec index 3250671..76ffedf 100644 --- a/git.spec +++ b/git.spec @@ -43,7 +43,7 @@ %endif Name: git -Version: 2.0.3 +Version: 2.0.4 Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 @@ -633,6 +633,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu Jul 31 2014 Ondrej Oprala Date: Sat, 16 Aug 2014 16:30:53 +0000 Subject: [PATCH 04/11] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- git.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/git.spec b/git.spec index 76ffedf..e92bfaf 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ Name: git Version: 2.0.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -633,6 +633,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Sat Aug 16 2014 Fedora Release Engineering - 2.0.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Thu Jul 31 2014 Ondrej Oprala Date: Mon, 18 Aug 2014 10:52:36 +0200 Subject: [PATCH 05/11] 2.1.0 --- ...Use-gitexecdir-instead-of-libexecdir.patch | 44 ------------------- git.spec | 9 ++-- sources | 6 +-- 3 files changed, 8 insertions(+), 51 deletions(-) delete mode 100644 0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch diff --git a/0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch b/0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch deleted file mode 100644 index 421710c..0000000 --- a/0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a906459c2a89938e911f1650e6ce22315a1ec84d Mon Sep 17 00:00:00 2001 -From: Todd Zullinger -Date: Fri, 4 Jan 2013 11:54:21 -0500 -Subject: [PATCH] git-subtree: Use gitexecdir instead of libexecdir - -When the git subtree Makefile includes config.mak from the toplevel, -it's useful to have the same variables set globally applied. Using -gitexecdir instead of libexecdir respects the global settings more -consistently. - -Remove the unused gitdir variable as well. ---- - contrib/subtree/Makefile | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/contrib/subtree/Makefile b/contrib/subtree/Makefile -index 435b2de..dc8da19 100644 ---- a/contrib/subtree/Makefile -+++ b/contrib/subtree/Makefile -@@ -2,9 +2,8 @@ - -include ../../config.mak - - prefix ?= /usr/local -+gitexecdir ?= $(prefix)/libexec/git-core - mandir ?= $(prefix)/share/man --libexecdir ?= $(prefix)/libexec/git-core --gitdir ?= $(shell git --exec-path) - man1dir ?= $(mandir)/man1 - - gitver ?= $(word 3,$(shell git --version)) -@@ -30,8 +29,8 @@ $(GIT_SUBTREE): $(GIT_SUBTREE_SH) - doc: $(GIT_SUBTREE_DOC) $(GIT_SUBTREE_HTML) - - install: $(GIT_SUBTREE) -- $(INSTALL) -d -m 755 $(DESTDIR)$(libexecdir) -- $(INSTALL) -m 755 $(GIT_SUBTREE) $(DESTDIR)$(libexecdir) -+ $(INSTALL) -d -m 755 $(DESTDIR)$(gitexecdir) -+ $(INSTALL) -m 755 $(GIT_SUBTREE) $(DESTDIR)$(gitexecdir) - - install-doc: install-man - --- -1.8.3.1 - diff --git a/git.spec b/git.spec index e92bfaf..4a3e5c9 100644 --- a/git.spec +++ b/git.spec @@ -43,8 +43,8 @@ %endif Name: git -Version: 2.0.4 -Release: 2%{?dist} +Version: 2.1.0 +Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -64,7 +64,6 @@ Patch0: git-1.8-gitweb-home-link.patch Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch # https://bugzilla.redhat.com/600411 Patch3: git-1.7-el5-emacs-support.patch -Patch5: 0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -308,7 +307,6 @@ Requires: emacs-git = %{version}-%{release} %if %{emacs_old} %patch3 -p1 %endif -%patch5 -p1 %if %{use_prebuilt_docs} mkdir -p prebuilt_docs/{html,man} @@ -633,6 +631,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Mon Aug 18 2014 Ondrej Oprala - 2.0.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild diff --git a/sources b/sources index 19b7d94..a89bf55 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -f072436581ac0c0e9660a0637fd3ae2c git-2.0.4.tar.gz -63361c7aa7424d47b8ccdff09fafe1ba git-htmldocs-2.0.4.tar.gz -b256562b05242250df07f6a91e0887a2 git-manpages-2.0.4.tar.gz +40f059350019ff1f0763b315d0ca5c2e git-2.1.0.tar.gz +920860531676844a232589b21c1fba35 git-htmldocs-2.1.0.tar.gz +3a0745e8302a904c8359e8a5da594cc9 git-manpages-2.1.0.tar.gz From b8d9224e0350964a64067f8760ad0dc12fa211db Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 24 Oct 2014 13:14:45 +0200 Subject: [PATCH 06/11] Rename git.service into git@.service and bump release Conflicts: git.spec --- git.service | 9 --------- git.spec | 16 ++++++++++------ git@.service | 8 ++++++++ 3 files changed, 18 insertions(+), 15 deletions(-) delete mode 100644 git.service create mode 100644 git@.service diff --git a/git.service b/git.service deleted file mode 100644 index 07cbe6e..0000000 --- a/git.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Git Repositories Server Daemon -Documentation=man:git-daemon(1) -Wants=git.socket - -[Service] -User=nobody -ExecStart=/usr/libexec/git-core/git-daemon --base-path=/var/lib/git --export-all --user-path=public_git --syslog --inetd --verbose -StandardInput=socket diff --git a/git.spec b/git.spec index 4a3e5c9..cd82651 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ Name: git Version: 2.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -57,7 +57,7 @@ Source5: git-gui.desktop Source6: gitweb.conf.in Source10: http://www.kernel.org/pub/software/scm/git/%{name}-manpages-%{version}.tar.gz Source11: http://www.kernel.org/pub/software/scm/git/%{name}-htmldocs-%{version}.tar.gz -Source12: git.service +Source12: git@.service Source13: git.socket Patch0: git-1.8-gitweb-home-link.patch # https://bugzilla.redhat.com/490602 @@ -511,13 +511,13 @@ rm -rf %{buildroot} %if %{use_systemd} %post daemon -%systemd_post git.service +%systemd_post git@.service %preun daemon -%systemd_preun git.service +%systemd_preun git@.service %postun daemon -%systemd_postun_with_restart git.service +%systemd_postun_with_restart git@.service %endif %files -f bin-man-doc-files @@ -610,7 +610,7 @@ rm -rf %{buildroot} %doc Documentation/*daemon*.txt %if %{use_systemd} %{_unitdir}/git.socket -%{_unitdir}/git.service +%{_unitdir}/git@.service %else %config(noreplace)%{_sysconfdir}/xinetd.d/git %endif @@ -631,6 +631,10 @@ rm -rf %{buildroot} # No files for you! %changelog +* Sat Oct 25 2014 Pierre-Yves Chibon - 2.1.0-2 +- Rename the git.service into git@.service fixing + https://bugzilla.redhat.com/980574 + * Mon Aug 18 2014 Ondrej Oprala Date: Fri, 28 Nov 2014 14:30:23 +0100 Subject: [PATCH 07/11] removed git-bzr from specfile - it's replaced by separate package git-removet-bzr --- git.spec | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/git.spec b/git.spec index cd82651..6e8c9e9 100644 --- a/git.spec +++ b/git.spec @@ -462,8 +462,9 @@ perl -p \ %{SOURCE3} > %{buildroot}%{_sysconfdir}/xinetd.d/git %endif -# Install bzr and hg remote helpers from contrib -install -pm 755 contrib/remote-helpers/git-remote-{bzr,hg} %{buildroot}%{gitcoredir} +# Install and hg remote helpers from contrib +# removed bzr +install -pm 755 contrib/remote-helpers/git-remote-hg %{buildroot}%{gitcoredir} # Setup bash completion mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d @@ -528,9 +529,10 @@ rm -rf %{buildroot} %{!?_without_docs: %doc Documentation/howto Documentation/technical} %{_sysconfdir}/bash_completion.d -%files bzr -%defattr(-,root,root) -%{gitcoredir}/git-remote-bzr +#git-bzr removed from this package and replaced by git-remote-bzr +#%files bzr +#%defattr(-,root,root) +#%{gitcoredir}/git-remote-bzr %files hg %defattr(-,root,root) @@ -631,6 +633,10 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu Nov 27 2014 Petr Stodulka - 2.1.0-3 +- removed git-bzr (not functional already) -> replaced by separated + package git-remote-bzr + * Sat Oct 25 2014 Pierre-Yves Chibon - 2.1.0-2 - Rename the git.service into git@.service fixing https://bugzilla.redhat.com/980574 From 795453ccefefd87a02eb1f5d872dc2a7f5c6fb58 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Fri, 28 Nov 2014 14:36:36 +0100 Subject: [PATCH 08/11] bump release --- git.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/git.spec b/git.spec index 6e8c9e9..595ccd2 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ Name: git Version: 2.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools From b9eec7763a4a3ed55fd6d4e1341bcbead1888835 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Thu, 11 Dec 2014 13:10:56 +0100 Subject: [PATCH 09/11] removed subpackage git-hg which is replaced by git-remote-hg --- git.spec | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/git.spec b/git.spec index 595ccd2..15785ac 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ Name: git Version: 2.1.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -174,18 +174,6 @@ Requires: git = %{version}-%{release} %description -n gitweb Simple web interface to track changes in git repositories -%package hg -Summary: Git tools for working with mercurial repositories -Group: Development/Tools -%if %{noarch_sub} -BuildArch: noarch -%endif -Requires: git = %{version}-%{release} -Requires: mercurial >= 1.8 - -%description hg -%{summary}. - %package p4 Summary: Git tools for working with Perforce depots Group: Development/Tools @@ -462,10 +450,6 @@ perl -p \ %{SOURCE3} > %{buildroot}%{_sysconfdir}/xinetd.d/git %endif -# Install and hg remote helpers from contrib -# removed bzr -install -pm 755 contrib/remote-helpers/git-remote-hg %{buildroot}%{gitcoredir} - # Setup bash completion mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d install -pm 644 contrib/completion/git-completion.bash %{buildroot}%{_sysconfdir}/bash_completion.d/git @@ -534,10 +518,6 @@ rm -rf %{buildroot} #%defattr(-,root,root) #%{gitcoredir}/git-remote-bzr -%files hg -%defattr(-,root,root) -%{gitcoredir}/git-remote-hg - %files p4 %defattr(-,root,root) %{gitcoredir}/*p4* @@ -633,8 +613,12 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu Dec 11 2014 Petr Stodulka - 2.1.0-4 +- removed subpackage git-hg (not functional already) -> replaced by separated + package git-remote-hg + * Thu Nov 27 2014 Petr Stodulka - 2.1.0-3 -- removed git-bzr (not functional already) -> replaced by separated +- removed subpackage git-bzr (not functional already) -> replaced by separated package git-remote-bzr * Sat Oct 25 2014 Pierre-Yves Chibon - 2.1.0-2 From 78b4ba2b20bd6e52b7437f3fe113d14d5d861373 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Mon, 22 Jun 2015 20:21:41 +0200 Subject: [PATCH 10/11] fix inifinite loop due to broken symlink and new requires in git-svn --- git-infinite-loop.patch | 39 +++++++++++++++++++++++++++++++++++++++ git.spec | 12 +++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 git-infinite-loop.patch diff --git a/git-infinite-loop.patch b/git-infinite-loop.patch new file mode 100644 index 0000000..0eae28f --- /dev/null +++ b/git-infinite-loop.patch @@ -0,0 +1,39 @@ +diff --git a/refs.c b/refs.c +index 67d6745..ddb9a77 100644 +--- a/refs.c ++++ b/refs.c +@@ -1422,6 +1422,7 @@ static struct ref_dir *get_loose_refs(struct ref_cache *refs) + /* We allow "recursive" symbolic refs. Only within reason, though */ + #define MAXDEPTH 5 + #define MAXREFLEN (1024) ++#define MAXRETRIES 5 + + /* + * Called by resolve_gitlink_ref_recursive() after it failed to read +@@ -1576,6 +1577,7 @@ const char *resolve_ref_unsafe(const char *refname, int resolve_flags, unsigned + struct stat st; + char *buf; + int fd; ++ int retries = 0; + + if (--depth < 0) { + errno = ELOOP; +@@ -1612,7 +1614,8 @@ const char *resolve_ref_unsafe(const char *refname, int resolve_flags, unsigned + if (S_ISLNK(st.st_mode)) { + len = readlink(path, buffer, sizeof(buffer)-1); + if (len < 0) { +- if (errno == ENOENT || errno == EINVAL) ++ if ((errno == ENOENT || errno == EINVAL) && ++ retries++ < MAXRETRIES) + /* inconsistent with lstat; retry */ + goto stat_ref; + else +@@ -1645,7 +1648,7 @@ const char *resolve_ref_unsafe(const char *refname, int resolve_flags, unsigned + */ + fd = open(path, O_RDONLY); + if (fd < 0) { +- if (errno == ENOENT) ++ if (errno == ENOENT && retries++ < MAXRETRIES) + /* inconsistent with lstat; retry */ + goto stat_ref; + else diff --git a/git.spec b/git.spec index 15785ac..cd70c93 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ Name: git Version: 2.1.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -64,6 +64,7 @@ Patch0: git-1.8-gitweb-home-link.patch Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch # https://bugzilla.redhat.com/600411 Patch3: git-1.7-el5-emacs-support.patch +Patch4: git-infinite-loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -295,6 +296,7 @@ Requires: emacs-git = %{version}-%{release} %if %{emacs_old} %patch3 -p1 %endif +%patch4 -p1 %if %{use_prebuilt_docs} mkdir -p prebuilt_docs/{html,man} @@ -613,6 +615,14 @@ rm -rf %{buildroot} # No files for you! %changelog +* Mon Jun 22 2015 Petr Stodulka - 2.1.0-5 +- git-svn - added requires for perl-Digest-MD5 (#1218176) - it doesn't + seem that's really problem on F21 - found dependency by rpm from git-svn + package when I try remove it, but it's not bad have it inside spec file +- solve troubles with infinite loop due to broken symlink (probably + shouldn't be problem here, but it's reproducible manually) + (#1204193) + * Thu Dec 11 2014 Petr Stodulka - 2.1.0-4 - removed subpackage git-hg (not functional already) -> replaced by separated package git-remote-hg From 75c12063c97c0eb95575b905af9b77acd75f8ba8 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Wed, 28 Oct 2015 18:18:38 +0100 Subject: [PATCH 11/11] fix arbitrary code execution via crafted URLs Resolves: #1269797 --- ...protocol-whitelist-environment-varia.patch | 207 ++++++++++++++++++ ...only-certain-protocols-for-submodule.patch | 108 +++++++++ ...ort-refactor-protocol-whitelist-code.patch | 107 +++++++++ ...it-redirection-to-protocol-whitelist.patch | 105 +++++++++ 0005-http-limit-redirection-depth.patch | 31 +++ git.spec | 20 +- 6 files changed, 576 insertions(+), 2 deletions(-) create mode 100644 0001-transport-add-a-protocol-whitelist-environment-varia.patch create mode 100644 0002-submodule-allow-only-certain-protocols-for-submodule.patch create mode 100644 0003-transport-refactor-protocol-whitelist-code.patch create mode 100644 0004-http-limit-redirection-to-protocol-whitelist.patch create mode 100644 0005-http-limit-redirection-depth.patch diff --git a/0001-transport-add-a-protocol-whitelist-environment-varia.patch b/0001-transport-add-a-protocol-whitelist-environment-varia.patch new file mode 100644 index 0000000..3445a12 --- /dev/null +++ b/0001-transport-add-a-protocol-whitelist-environment-varia.patch @@ -0,0 +1,207 @@ +From 91233ae25ec604bfbe5f624ebc3e1c45a3d3a36d Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 28 Oct 2015 18:03:32 +0100 +Subject: [PATCH 1/5] transport: add a protocol-whitelist environment variable + +If we are cloning an untrusted remote repository into a +sandbox, we may also want to fetch remote submodules in +order to get the complete view as intended by the other +side. However, that opens us up to attacks where a malicious +user gets us to clone something they would not otherwise +have access to (this is not necessarily a problem by itself, +but we may then act on the cloned contents in a way that +exposes them to the attacker). + +Ideally such a setup would sandbox git entirely away from +high-value items, but this is not always practical or easy +to set up (e.g., OS network controls may block multiple +protocols, and we would want to enable some but not others). + +We can help this case by providing a way to restrict +particular protocols. We use a whitelist in the environment. +This is more annoying to set up than a blacklist, but +defaults to safety if the set of protocols git supports +grows). If no whitelist is specified, we continue to default +to allowing all protocols (this is an "unsafe" default, but +since the minority of users will want this sandboxing +effect, it is the only sensible one). + +A note on the tests: ideally these would all be in a single +test file, but the git-daemon and httpd test infrastructure +is an all-or-nothing proposition rather than a test-by-test +prerequisite. By putting them all together, we would be +unable to test the file-local code on machines without +apache. +--- + Documentation/git.txt | 31 +++++++++++++++++++++++++++++++ + connect.c | 5 +++++ + transport-helper.c | 2 ++ + transport.c | 21 ++++++++++++++++++++- + transport.h | 7 +++++++ + 5 files changed, 65 insertions(+), 1 deletion(-) + +diff --git a/Documentation/git.txt b/Documentation/git.txt +index de7b870..b87bf7f 100644 +--- a/Documentation/git.txt ++++ b/Documentation/git.txt +@@ -993,6 +993,37 @@ GIT_ICASE_PATHSPECS:: + variable when it is invoked as the top level command by the + end user, to be recorded in the body of the reflog. + ++`GIT_ALLOW_PROTOCOL`:: ++ If set, provide a colon-separated list of protocols which are ++ allowed to be used with fetch/push/clone. This is useful to ++ restrict recursive submodule initialization from an untrusted ++ repository. Any protocol not mentioned will be disallowed (i.e., ++ this is a whitelist, not a blacklist). If the variable is not ++ set at all, all protocols are enabled. The protocol names ++ currently used by git are: ++ ++ - `file`: any local file-based path (including `file://` URLs, ++ or local paths) ++ ++ - `git`: the anonymous git protocol over a direct TCP ++ connection (or proxy, if configured) ++ ++ - `ssh`: git over ssh (including `host:path` syntax, ++ `git+ssh://`, etc). ++ ++ - `rsync`: git over rsync ++ ++ - `http`: git over http, both "smart http" and "dumb http". ++ Note that this does _not_ include `https`; if you want both, ++ you should specify both as `http:https`. ++ ++ - any external helpers are named by their protocol (e.g., use ++ `hg` to allow the `git-remote-hg` helper) +++ ++Note that this controls only git's internal protocol selection. ++If libcurl is used (e.g., by the `http` transport), it may ++redirect to other protocols. There is not currently any way to ++restrict this. + + Discussion[[Discussion]] + ------------------------ +diff --git a/connect.c b/connect.c +index 5047402..6b679be 100644 +--- a/connect.c ++++ b/connect.c +@@ -9,6 +9,7 @@ + #include "url.h" + #include "string-list.h" + #include "sha1-array.h" ++#include "transport.h" + + static char *server_capabilities; + static const char *parse_feature_value(const char *, const char *, int *); +@@ -677,6 +678,8 @@ struct child_process *git_connect(int fd[2], const char *url, + * cannot connect. + */ + char *target_host = xstrdup(hostandport); ++ transport_check_allowed("git"); ++ + if (git_use_proxy(hostandport)) + conn = git_proxy_connect(fd, hostandport); + else +@@ -706,6 +709,7 @@ struct child_process *git_connect(int fd[2], const char *url, + int putty = ssh && strcasestr(ssh, "plink"); + char *ssh_host = hostandport; + const char *port = NULL; ++ transport_check_allowed("ssh"); + get_host_and_port(&ssh_host, &port); + port = get_port_numeric(port); + +@@ -724,6 +728,7 @@ struct child_process *git_connect(int fd[2], const char *url, + /* remove repo-local variables from the environment */ + conn->env = local_repo_env; + conn->use_shell = 1; ++ transport_check_allowed("file"); + } + argv_array_push(&conn->args, cmd.buf); + +diff --git a/transport-helper.c b/transport-helper.c +index 3d8fe7d..fb4bd44 100644 +--- a/transport-helper.c ++++ b/transport-helper.c +@@ -1031,6 +1031,8 @@ int transport_helper_init(struct transport *transport, const char *name) + struct helper_data *data = xcalloc(1, sizeof(*data)); + data->name = name; + ++ transport_check_allowed(name); ++ + if (getenv("GIT_TRANSPORT_HELPER_DEBUG")) + debug = 1; + +diff --git a/transport.c b/transport.c +index 662421b..1f80cef 100644 +--- a/transport.c ++++ b/transport.c +@@ -903,6 +903,20 @@ static int external_specification_len(const char *url) + return strchr(url, ':') - url; + } + ++void transport_check_allowed(const char *type) ++{ ++ struct string_list allowed = STRING_LIST_INIT_DUP; ++ const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ ++ if (!v) ++ return; ++ ++ string_list_split(&allowed, v, ':', -1); ++ if (!unsorted_string_list_has_string(&allowed, type)) ++ die("transport '%s' not allowed", type); ++ string_list_clear(&allowed, 0); ++} ++ + struct transport *transport_get(struct remote *remote, const char *url) + { + const char *helper; +@@ -934,12 +948,14 @@ struct transport *transport_get(struct remote *remote, const char *url) + if (helper) { + transport_helper_init(ret, helper); + } else if (starts_with(url, "rsync:")) { ++ transport_check_allowed("rsync"); + ret->get_refs_list = get_refs_via_rsync; + ret->fetch = fetch_objs_via_rsync; + ret->push = rsync_transport_push; + ret->smart_options = NULL; + } else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) { + struct bundle_transport_data *data = xcalloc(1, sizeof(*data)); ++ transport_check_allowed("file"); + ret->data = data; + ret->get_refs_list = get_refs_from_bundle; + ret->fetch = fetch_refs_from_bundle; +@@ -951,7 +967,10 @@ struct transport *transport_get(struct remote *remote, const char *url) + || starts_with(url, "ssh://") + || starts_with(url, "git+ssh://") + || starts_with(url, "ssh+git://")) { +- /* These are builtin smart transports. */ ++ /* ++ * These are builtin smart transports; "allowed" transports ++ * will be checked individually in git_connect. ++ */ + struct git_transport_data *data = xcalloc(1, sizeof(*data)); + ret->data = data; + ret->set_option = NULL; +diff --git a/transport.h b/transport.h +index 02ea248..c1447f1 100644 +--- a/transport.h ++++ b/transport.h +@@ -130,6 +130,13 @@ struct transport { + /* Returns a transport suitable for the url */ + struct transport *transport_get(struct remote *, const char *); + ++/* ++ * Check whether a transport is allowed by the environment, ++ * and die otherwise. type should generally be the URL scheme, ++ * as described in Documentation/git.txt ++ */ ++void transport_check_allowed(const char *type); ++ + /* Transport options which apply to git:// and scp-style URLs */ + + /* The program to use on the remote side to send a pack */ +-- +2.1.0 + diff --git a/0002-submodule-allow-only-certain-protocols-for-submodule.patch b/0002-submodule-allow-only-certain-protocols-for-submodule.patch new file mode 100644 index 0000000..86c7194 --- /dev/null +++ b/0002-submodule-allow-only-certain-protocols-for-submodule.patch @@ -0,0 +1,108 @@ +From 8c0d436912443147e691e4820c706d1c5014c1eb Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Wed, 16 Sep 2015 13:13:12 -0400 +Subject: [PATCH 2/5] submodule: allow only certain protocols for submodule + fetches + +Some protocols (like git-remote-ext) can execute arbitrary +code found in the URL. The URLs that submodules use may come +from arbitrary sources (e.g., .gitmodules files in a remote +repository). Let's restrict submodules to fetching from a +known-good subset of protocols. + +Note that we apply this restriction to all submodule +commands, whether the URL comes from .gitmodules or not. +This is more restrictive than we need to be; for example, in +the tests we run: + + git submodule add ext::... + +which should be trusted, as the URL comes directly from the +command line provided by the user. But doing it this way is +simpler, and makes it much less likely that we would miss a +case. And since such protocols should be an exception +(especially because nobody who clones from them will be able +to update the submodules!), it's not likely to inconvenience +anyone in practice. + +Reported-by: Blake Burkhart +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +--- + git-submodule.sh | 9 +++++++++ + t/t5815-submodule-protos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + create mode 100755 t/t5815-submodule-protos.sh + +diff --git a/git-submodule.sh b/git-submodule.sh +index 9245abf..5aa3ce5 100755 +--- a/git-submodule.sh ++++ b/git-submodule.sh +@@ -22,6 +22,15 @@ require_work_tree + wt_prefix=$(git rev-parse --show-prefix) + cd_to_toplevel + ++# Restrict ourselves to a vanilla subset of protocols; the URLs ++# we get are under control of a remote repository, and we do not ++# want them kicking off arbitrary git-remote-* programs. ++# ++# If the user has already specified a set of allowed protocols, ++# we assume they know what they're doing and use that instead. ++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} ++export GIT_ALLOW_PROTOCOL ++ + command= + branch= + force= +diff --git a/t/t5815-submodule-protos.sh b/t/t5815-submodule-protos.sh +new file mode 100755 +index 0000000..06f55a1 +--- /dev/null ++++ b/t/t5815-submodule-protos.sh +@@ -0,0 +1,43 @@ ++#!/bin/sh ++ ++test_description='test protocol whitelisting with submodules' ++. ./test-lib.sh ++. "$TEST_DIRECTORY"/lib-proto-disable.sh ++ ++setup_ext_wrapper ++setup_ssh_wrapper ++ ++test_expect_success 'setup repository with submodules' ' ++ mkdir remote && ++ git init remote/repo.git && ++ (cd remote/repo.git && test_commit one) && ++ # submodule-add should probably trust what we feed it on the cmdline, ++ # but its implementation is overly conservative. ++ GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module && ++ GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module && ++ git commit -m "add submodules" ++' ++ ++test_expect_success 'clone with recurse-submodules fails' ' ++ test_must_fail git clone --recurse-submodules . dst ++' ++ ++test_expect_success 'setup individual updates' ' ++ rm -rf dst && ++ git clone . dst && ++ git -C dst submodule init ++' ++ ++test_expect_success 'update of ssh allowed' ' ++ git -C dst submodule update ssh-module ++' ++ ++test_expect_success 'update of ext not allowed' ' ++ test_must_fail git -C dst submodule update ext-module ++' ++ ++test_expect_success 'user can override whitelist' ' ++ GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module ++' ++ ++test_done +-- +2.1.0 + diff --git a/0003-transport-refactor-protocol-whitelist-code.patch b/0003-transport-refactor-protocol-whitelist-code.patch new file mode 100644 index 0000000..38f68a6 --- /dev/null +++ b/0003-transport-refactor-protocol-whitelist-code.patch @@ -0,0 +1,107 @@ +From 2177303c6bff4d91b80cfb7cd95fac211771205a Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Tue, 22 Sep 2015 18:03:49 -0400 +Subject: [PATCH 3/5] transport: refactor protocol whitelist code + +The current callers only want to die when their transport is +prohibited. But future callers want to query the mechanism +without dying. + +Let's break out a few query functions, and also save the +results in a static list so we don't have to re-parse for +each query. + +Based-on-a-patch-by: Blake Burkhart +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +--- + transport.c | 38 ++++++++++++++++++++++++++++++-------- + transport.h | 15 +++++++++++++-- + 2 files changed, 43 insertions(+), 10 deletions(-) + +diff --git a/transport.c b/transport.c +index 1f80cef..6eeb0e3 100644 +--- a/transport.c ++++ b/transport.c +@@ -903,18 +903,40 @@ static int external_specification_len(const char *url) + return strchr(url, ':') - url; + } + +-void transport_check_allowed(const char *type) ++static const struct string_list *protocol_whitelist(void) + { +- struct string_list allowed = STRING_LIST_INIT_DUP; +- const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ static int enabled = -1; ++ static struct string_list allowed = STRING_LIST_INIT_DUP; ++ ++ if (enabled < 0) { ++ const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ if (v) { ++ string_list_split(&allowed, v, ':', -1); ++ sort_string_list(&allowed); ++ enabled = 1; ++ } else { ++ enabled = 0; ++ } ++ } + +- if (!v) +- return; ++ return enabled ? &allowed : NULL; ++} ++ ++int is_transport_allowed(const char *type) ++{ ++ const struct string_list *allowed = protocol_whitelist(); ++ return !allowed || string_list_has_string(allowed, type); ++} + +- string_list_split(&allowed, v, ':', -1); +- if (!unsorted_string_list_has_string(&allowed, type)) ++void transport_check_allowed(const char *type) ++{ ++ if (!is_transport_allowed(type)) + die("transport '%s' not allowed", type); +- string_list_clear(&allowed, 0); ++} ++ ++int transport_restrict_protocols(void) ++{ ++ return !!protocol_whitelist(); + } + + struct transport *transport_get(struct remote *remote, const char *url) +diff --git a/transport.h b/transport.h +index c1447f1..0a7f3f2 100644 +--- a/transport.h ++++ b/transport.h +@@ -131,12 +131,23 @@ struct transport { + struct transport *transport_get(struct remote *, const char *); + + /* ++ * Check whether a transport is allowed by the environment. Type should ++ * generally be the URL scheme, as described in Documentation/git.txt ++ */ ++int is_transport_allowed(const char *type); ++ ++/* + * Check whether a transport is allowed by the environment, +- * and die otherwise. type should generally be the URL scheme, +- * as described in Documentation/git.txt ++ * and die otherwise. + */ + void transport_check_allowed(const char *type); + ++/* ++ * Returns true if the user has attempted to turn on protocol ++ * restrictions at all. ++ */ ++int transport_restrict_protocols(void); ++ + /* Transport options which apply to git:// and scp-style URLs */ + + /* The program to use on the remote side to send a pack */ +-- +2.1.0 + diff --git a/0004-http-limit-redirection-to-protocol-whitelist.patch b/0004-http-limit-redirection-to-protocol-whitelist.patch new file mode 100644 index 0000000..a3d302f --- /dev/null +++ b/0004-http-limit-redirection-to-protocol-whitelist.patch @@ -0,0 +1,105 @@ +From 0521da24ebb5a81616f4bca6507d7bcbebc76cea Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 28 Oct 2015 18:08:59 +0100 +Subject: [PATCH 4/5] http: limit redirection to protocol-whitelist + +Previously, libcurl would follow redirection to any protocol +it was compiled for support with. This is desirable to allow +redirection from HTTP to HTTPS. However, it would even +successfully allow redirection from HTTP to SFTP, a protocol +that git does not otherwise support at all. Furthermore +git's new protocol-whitelisting could be bypassed by +following a redirect within the remote helper, as it was +only enforced at transport selection time. + +This patch limits redirects within libcurl to HTTP, HTTPS, +FTP and FTPS. If there is a protocol-whitelist present, this +list is limited to those also allowed by the whitelist. As +redirection happens from within libcurl, it is impossible +for an HTTP redirect to a protocol implemented within +another remote helper. + +When the curl version git was compiled with is too old to +support restrictions on protocol redirection, we warn the +user if GIT_ALLOW_PROTOCOL restrictions were requested. This +is a little inaccurate, as even without that variable in the +environment, we would still restrict SFTP, etc, and we do +not warn in that case. But anything else means we would +literally warn every time git accesses an http remote. + +This commit includes a test, but it is not as robust as we +would hope. It redirects an http request to ftp, and checks +that curl complained about the protocol, which means that we +are relying on curl's specific error message to know what +happened. Ideally we would redirect to a working ftp server +and confirm that we can clone without protocol restrictions, +and not with them. But we do not have a portable way of +providing an ftp server, nor any other protocol that curl +supports (https is the closest, but we would have to deal +with certificates). +--- + Documentation/git.txt | 5 ----- + http.c | 17 +++++++++++++++++ + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/Documentation/git.txt b/Documentation/git.txt +index b87bf7f..406a179 100644 +--- a/Documentation/git.txt ++++ b/Documentation/git.txt +@@ -1019,11 +1019,6 @@ GIT_ICASE_PATHSPECS:: + + - any external helpers are named by their protocol (e.g., use + `hg` to allow the `git-remote-hg` helper) +-+ +-Note that this controls only git's internal protocol selection. +-If libcurl is used (e.g., by the `http` transport), it may +-redirect to other protocols. There is not currently any way to +-restrict this. + + Discussion[[Discussion]] + ------------------------ +diff --git a/http.c b/http.c +index c8cd50d..e153678 100644 +--- a/http.c ++++ b/http.c +@@ -7,6 +7,7 @@ + #include "credential.h" + #include "version.h" + #include "pkt-line.h" ++#include "transport.h" + + int active_requests; + int http_is_verbose; +@@ -299,6 +300,7 @@ static void set_curl_keepalive(CURL *c) + static CURL *get_curl_handle(void) + { + CURL *result = curl_easy_init(); ++ long allowed_protocols = 0; + + if (!curl_ssl_verify) { + curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0); +@@ -348,6 +350,21 @@ static CURL *get_curl_handle(void) + #elif LIBCURL_VERSION_NUM >= 0x071101 + curl_easy_setopt(result, CURLOPT_POST301, 1); + #endif ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ if (is_transport_allowed("http")) ++ allowed_protocols |= CURLPROTO_HTTP; ++ if (is_transport_allowed("https")) ++ allowed_protocols |= CURLPROTO_HTTPS; ++ if (is_transport_allowed("ftp")) ++ allowed_protocols |= CURLPROTO_FTP; ++ if (is_transport_allowed("ftps")) ++ allowed_protocols |= CURLPROTO_FTPS; ++ curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols); ++#else ++ if (transport_restrict_protocols()) ++ warning("protocol restrictions not applied to curl redirects because\n" ++ "your curl version is too old (>= 7.19.4)"); ++#endif + + if (getenv("GIT_CURL_VERBOSE")) + curl_easy_setopt(result, CURLOPT_VERBOSE, 1); +-- +2.1.0 + diff --git a/0005-http-limit-redirection-depth.patch b/0005-http-limit-redirection-depth.patch new file mode 100644 index 0000000..bb53da2 --- /dev/null +++ b/0005-http-limit-redirection-depth.patch @@ -0,0 +1,31 @@ +From 651648cf0ac04f9673bca45641e848771a4c64e4 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 28 Oct 2015 17:30:24 +0100 +Subject: [PATCH 5/5] http: limit redirection depth + +By default, libcurl will follow circular http redirects +forever. Let's put a cap on this so that somebody who can +trigger an automated fetch of an arbitrary repository (e.g., +for CI) cannot convince git to loop infinitely. + +The value chosen is 20, which is the same default that +Firefox uses. +--- + http.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/http.c b/http.c +index e153678..0bfddb4 100644 +--- a/http.c ++++ b/http.c +@@ -345,6 +345,7 @@ static CURL *get_curl_handle(void) + } + + curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1); ++ curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20); + #if LIBCURL_VERSION_NUM >= 0x071301 + curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL); + #elif LIBCURL_VERSION_NUM >= 0x071101 +-- +2.1.0 + diff --git a/git.spec b/git.spec index cd70c93..4abaa40 100644 --- a/git.spec +++ b/git.spec @@ -44,7 +44,7 @@ Name: git Version: 2.1.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -66,6 +66,13 @@ Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch Patch3: git-1.7-el5-emacs-support.patch Patch4: git-infinite-loop.patch +# set of patches for security bug (solved since 2.6.1) +Patch6: 0001-transport-add-a-protocol-whitelist-environment-varia.patch +Patch7: 0002-submodule-allow-only-certain-protocols-for-submodule.patch +Patch8: 0003-transport-refactor-protocol-whitelist-code.patch +Patch9: 0004-http-limit-redirection-to-protocol-whitelist.patch +Patch10: 0005-http-limit-redirection-depth.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{use_prebuilt_docs} && ! 0%{?_without_docs} @@ -297,6 +304,11 @@ Requires: emacs-git = %{version}-%{release} %patch3 -p1 %endif %patch4 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %if %{use_prebuilt_docs} mkdir -p prebuilt_docs/{html,man} @@ -615,7 +627,11 @@ rm -rf %{buildroot} # No files for you! %changelog -* Mon Jun 22 2015 Petr Stodulka - 2.1.0-5 +* Wed Oct 28 2015 Petr Stodulka - 2.1.0-6 +- fix arbitrary code execution via crafted URLs + Resolves: #1269797 + +* Mon Jun 22 2015 Petr Stodulka - 2.1.0-5 - git-svn - added requires for perl-Digest-MD5 (#1218176) - it doesn't seem that's really problem on F21 - found dependency by rpm from git-svn package when I try remove it, but it's not bad have it inside spec file