From aa8ac0294421d465f60e18c8271f971ec8407a95 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 13 May 2018 20:39:36 +0300 Subject: gnu: myrepos: Fix CVE-2018-7032. * gnu/packages/version-control.scm (myrepos)[source]: Add patch. * gnu/packages/patches/myrepos-CVE-2018-7032.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/packages/patches/myrepos-CVE-2018-7032.patch | 69 ++++++++++++++++++++++++ gnu/packages/version-control.scm | 3 +- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/myrepos-CVE-2018-7032.patch (limited to 'gnu/packages') diff --git a/gnu/packages/patches/myrepos-CVE-2018-7032.patch b/gnu/packages/patches/myrepos-CVE-2018-7032.patch new file mode 100644 index 0000000000..ce9493e5f9 --- /dev/null +++ b/gnu/packages/patches/myrepos-CVE-2018-7032.patch @@ -0,0 +1,69 @@ +http://source.myrepos.branchable.com/?p=source.git;a=patch;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8 +This can be removed with the next release. It was modified slightly to apply + +From 40a3df21c73f1bb1b6915cc6fa503f50814664c8 Mon Sep 17 00:00:00 2001 +From: Paul Wise +Date: Sun, 11 Feb 2018 21:57:49 +0800 +Subject: [PATCH] Mitigate vulnerabilities caused by some git remotes being + able to execute code + +Set GIT_PROTOCOL_FROM_USER=0 with git versions newer than 2.12. + +Prevent remote websites from causing cloning of local repositories. + +Manually whitelist known-safe protocols (http, https, git, ssh) +when using git versions older than 2.12. + +Fixes: CVE-2018-7032 +Fixes: https://bugs.debian.org/840014 +Suggestions-by: Jakub Wilk +Reported-by: Jakub Wilk +--- + webcheckout | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/webcheckout b/webcheckout +index e98da5c..de497ba 100755 +--- a/webcheckout ++++ b/webcheckout +@@ -71,6 +71,16 @@ use Getopt::Long; + use warnings; + use strict; + ++# Mitigate some git remote types being dangerous ++my $git_unsafe = 1; ++my $git_version = `git --version`; ++$git_version =~ s{^git version }{}; ++my ($major, $minor) = split(/\./, $git_version); ++if (int($major) >= 2 && int($minor) >= 12) { ++ $ENV{GIT_PROTOCOL_FROM_USER} = 0; ++ $git_unsafe = 0; ++} ++ + # What to download. + my $url; + +@@ -89,7 +99,17 @@ my $destdir; + + # how to perform checkouts + my %handlers=( +- git => sub { doit("git", "clone", shift, $destdir) }, +- svn => sub { doit("svn", "checkout", shift, $destdir) }, +- bzr => sub { doit("bzr", "branch", shift, $destdir) }, ++ git => sub { ++ my $git_url = shift; ++ # Reject unsafe URLs with older versions of git ++ # that do not already check the URL safety. ++ if ($git_unsafe && $git_url !~ m{^(?:(?:https?|git|ssh):[^:]|(?:[-_.A-Za-z0-9]+@)?[-_.A-Za-z0-9]+:(?!:|//))}) { ++ print STDERR "potentially unsafe git URL, may fail, touch local files or execute arbitrary code\n"; ++ return 1; ++ } ++ # Reject cloning local directories too, webcheckout is for remote repos ++ doit(qw(git -c protocol.file.allow=user clone --), $git_url, $destdir) ++ }, ++ svn => sub { doit(qw(svn checkout --), shift, $destdir) }, ++ bzr => sub { doit(qw(bzr branch --), shift, $destdir) }, + ); +-- +2.11.0 + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 848660bdd7..b41529d4f8 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -1573,7 +1573,8 @@ modification time.") (commit version))) (file-name (string-append name "-" version "-checkout")) (sha256 - (base32 "10q7lpx152xnkk701fscn4dq99q9znnmv3bc2482khhjg7z8rps0")))) + (base32 "10q7lpx152xnkk701fscn4dq99q9znnmv3bc2482khhjg7z8rps0")) + (patches (search-patches "myrepos-CVE-2018-7032.patch")))) (build-system gnu-build-system) (inputs `(("perl" ,perl))) -- cgit 1.4.1