summary refs log tree commit diff
path: root/gnu/packages/patches/myrepos-CVE-2018-7032.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/myrepos-CVE-2018-7032.patch')
-rw-r--r--gnu/packages/patches/myrepos-CVE-2018-7032.patch69
1 files changed, 0 insertions, 69 deletions
diff --git a/gnu/packages/patches/myrepos-CVE-2018-7032.patch b/gnu/packages/patches/myrepos-CVE-2018-7032.patch
deleted file mode 100644
index ce9493e5f9..0000000000
--- a/gnu/packages/patches/myrepos-CVE-2018-7032.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-http://source.myrepos.branchable.com/?p=source.git;a=patch;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8
-This can be removed with the next release. It was modified slightly to apply
-
-From 40a3df21c73f1bb1b6915cc6fa503f50814664c8 Mon Sep 17 00:00:00 2001
-From: Paul Wise <pabs3@bonedaddy.net>
-Date: Sun, 11 Feb 2018 21:57:49 +0800
-Subject: [PATCH] Mitigate vulnerabilities caused by some git remotes being
- able to execute code
-
-Set GIT_PROTOCOL_FROM_USER=0 with git versions newer than 2.12.
-
-Prevent remote websites from causing cloning of local repositories.
-
-Manually whitelist known-safe protocols (http, https, git, ssh)
-when using git versions older than 2.12.
-
-Fixes: CVE-2018-7032
-Fixes: https://bugs.debian.org/840014
-Suggestions-by: Jakub Wilk <jwilk@jwilk.net>
-Reported-by: Jakub Wilk <jwilk@jwilk.net>
----
- webcheckout | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/webcheckout b/webcheckout
-index e98da5c..de497ba 100755
---- a/webcheckout
-+++ b/webcheckout
-@@ -71,6 +71,16 @@ use Getopt::Long;
- use warnings;
- use strict;
- 
-+# Mitigate some git remote types being dangerous
-+my $git_unsafe = 1;
-+my $git_version = `git --version`;
-+$git_version =~ s{^git version }{};
-+my ($major, $minor) = split(/\./, $git_version);
-+if (int($major) >= 2 && int($minor) >= 12) {
-+	$ENV{GIT_PROTOCOL_FROM_USER} = 0;
-+	$git_unsafe = 0;
-+}
-+
- # What to download.
- my $url;
- 
-@@ -89,7 +99,17 @@ my $destdir;
- 
- # how to perform checkouts
- my %handlers=(
--	git => sub { doit("git", "clone", shift, $destdir) },
--	svn => sub { doit("svn", "checkout", shift, $destdir) },
--	bzr => sub { doit("bzr", "branch", shift, $destdir) },
-+	git => sub {
-+		my $git_url = shift;
-+		# Reject unsafe URLs with older versions of git
-+		# that do not already check the URL safety.
-+		if ($git_unsafe && $git_url !~ m{^(?:(?:https?|git|ssh):[^:]|(?:[-_.A-Za-z0-9]+@)?[-_.A-Za-z0-9]+:(?!:|//))}) {
-+			print STDERR "potentially unsafe git URL, may fail, touch local files or execute arbitrary code\n";
-+			return 1;
-+		}
-+		# Reject cloning local directories too, webcheckout is for remote repos
-+		doit(qw(git -c protocol.file.allow=user clone --), $git_url, $destdir)
-+	},
-+	svn => sub { doit(qw(svn checkout --), shift, $destdir) },
-+	bzr => sub { doit(qw(bzr branch --), shift, $destdir) },
- );
--- 
-2.11.0
-