summary refs log tree commit diff
path: root/gnu/packages/patches/myrepos-CVE-2018-7032.patch
blob: ce9493e5f9a29f2155fa69985e4f62d80df3668c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
http://source.myrepos.branchable.com/?p=source.git;a=patch;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8
This can be removed with the next release. It was modified slightly to apply

From 40a3df21c73f1bb1b6915cc6fa503f50814664c8 Mon Sep 17 00:00:00 2001
From: Paul Wise <pabs3@bonedaddy.net>
Date: Sun, 11 Feb 2018 21:57:49 +0800
Subject: [PATCH] Mitigate vulnerabilities caused by some git remotes being
 able to execute code

Set GIT_PROTOCOL_FROM_USER=0 with git versions newer than 2.12.

Prevent remote websites from causing cloning of local repositories.

Manually whitelist known-safe protocols (http, https, git, ssh)
when using git versions older than 2.12.

Fixes: CVE-2018-7032
Fixes: https://bugs.debian.org/840014
Suggestions-by: Jakub Wilk <jwilk@jwilk.net>
Reported-by: Jakub Wilk <jwilk@jwilk.net>
---
 webcheckout | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/webcheckout b/webcheckout
index e98da5c..de497ba 100755
--- a/webcheckout
+++ b/webcheckout
@@ -71,6 +71,16 @@ use Getopt::Long;
 use warnings;
 use strict;
 
+# Mitigate some git remote types being dangerous
+my $git_unsafe = 1;
+my $git_version = `git --version`;
+$git_version =~ s{^git version }{};
+my ($major, $minor) = split(/\./, $git_version);
+if (int($major) >= 2 && int($minor) >= 12) {
+	$ENV{GIT_PROTOCOL_FROM_USER} = 0;
+	$git_unsafe = 0;
+}
+
 # What to download.
 my $url;
 
@@ -89,7 +99,17 @@ my $destdir;
 
 # how to perform checkouts
 my %handlers=(
-	git => sub { doit("git", "clone", shift, $destdir) },
-	svn => sub { doit("svn", "checkout", shift, $destdir) },
-	bzr => sub { doit("bzr", "branch", shift, $destdir) },
+	git => sub {
+		my $git_url = shift;
+		# Reject unsafe URLs with older versions of git
+		# that do not already check the URL safety.
+		if ($git_unsafe && $git_url !~ m{^(?:(?:https?|git|ssh):[^:]|(?:[-_.A-Za-z0-9]+@)?[-_.A-Za-z0-9]+:(?!:|//))}) {
+			print STDERR "potentially unsafe git URL, may fail, touch local files or execute arbitrary code\n";
+			return 1;
+		}
+		# Reject cloning local directories too, webcheckout is for remote repos
+		doit(qw(git -c protocol.file.allow=user clone --), $git_url, $destdir)
+	},
+	svn => sub { doit(qw(svn checkout --), shift, $destdir) },
+	bzr => sub { doit(qw(bzr branch --), shift, $destdir) },
 );
-- 
2.11.0