From 5ba2ba495e84da09ed660f323d21900c88f53113 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Fri, 23 Jul 2021 09:56:56 +0800 Subject: [PATCH] fix CVE-2020-12278 and CVE-2020-12279 --- CVE-2020-12278.patch | 44 ++++++++++++++++++++++++++++++++++ CVE-2020-12279.patch | 57 ++++++++++++++++++++++++++++++++++++++++++++ libgit2.spec | 7 +++++- 3 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-12278.patch create mode 100644 CVE-2020-12279.patch diff --git a/CVE-2020-12278.patch b/CVE-2020-12278.patch new file mode 100644 index 0000000..b2052d7 --- /dev/null +++ b/CVE-2020-12278.patch @@ -0,0 +1,44 @@ +From e1832eb20a7089f6383cfce474f213157f5300cb Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Wed, 18 Sep 2019 16:33:18 +0200 +Subject: [PATCH] path: also guard `.gitmodules` against NTFS Alternate Data + Streams + +We just safe-guarded `.git` against NTFS Alternate Data Stream-related +attack vectors, and now it is time to do the same for `.gitmodules`. + +Note: In the added regression test, we refrain from verifying all kinds +of variations between short names and NTFS Alternate Data Streams: as +the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it +is enough to test one in order to know that all of them are guarded +against. + +Signed-off-by: Johannes Schindelin +--- + src/path.c | 2 +- + tests/path/dotgit.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/path.c b/src/path.c +index 7844da67227..b3a8fc32f83 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -1646,7 +1646,7 @@ GIT_INLINE(bool) only_spaces_and_dots(const char *path) + const char *c = path; + + for (;; c++) { +- if (*c == '\0') ++ if (*c == '\0' || *c == ':') + return true; + if (*c != ' ' && *c != '.') + return false; +diff --git a/tests/path/dotgit.c b/tests/path/dotgit.c +index 30996694512..ceb7330d248 100644 +--- a/tests/path/dotgit.c ++++ b/tests/path/dotgit.c +@@ -116,4 +116,5 @@ void test_path_dotgit__dotgit_modules_symlink(void) + cl_assert_equal_b(true, git_path_isvalid(NULL, ".gitmodules", 0, GIT_PATH_REJECT_DOT_GIT_HFS|GIT_PATH_REJECT_DOT_GIT_NTFS)); + cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_HFS)); + cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS)); ++ cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules . .::$DATA", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS)); + } diff --git a/CVE-2020-12279.patch b/CVE-2020-12279.patch new file mode 100644 index 0000000..1143521 --- /dev/null +++ b/CVE-2020-12279.patch @@ -0,0 +1,57 @@ +From 64c612cc3e25eff5fb02c59ef5a66ba7a14751e4 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Wed, 18 Sep 2019 15:25:02 +0200 +Subject: [PATCH] Protect against 8.3 "short name" attacks also on Linux/macOS + +The Windows Subsystem for Linux (WSL) is getting increasingly popular, +in particular because it makes it _so_ easy to run Linux software on +Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to +`/mnt/c/`, no need to set that up manually). + +Unfortunately, files/directories on the Windows drives can be accessed +via their _short names_, if that feature is enabled (which it is on the +`C:` drive by default). + +Which means that we have to safeguard even our Linux users against the +short name attacks. + +Further, while the default options of CIFS/SMB-mounts seem to disallow +accessing files on network shares via their short names on Linux/macOS, +it _is_ possible to do so with the right options. + +So let's just safe-guard against short name attacks _everywhere_. + +Signed-off-by: Johannes Schindelin +--- + src/checkout.c | 2 +- + tests/checkout/nasty.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/checkout.c b/src/checkout.c +index 5cfa7280baa..5b20ede466b 100644 +--- a/src/checkout.c ++++ b/src/checkout.c +@@ -1271,7 +1271,7 @@ static int checkout_verify_paths( + int action, + git_diff_delta *delta) + { +- unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS; ++ unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS | GIT_PATH_REJECT_DOT_GIT_NTFS; + + if (action & CHECKOUT_ACTION__REMOVE) { + if (!git_path_isvalid(repo, delta->old_file.path, delta->old_file.mode, flags)) { +diff --git a/tests/checkout/nasty.c b/tests/checkout/nasty.c +index 3897878cef1..a0ac738a812 100644 +--- a/tests/checkout/nasty.c ++++ b/tests/checkout/nasty.c +@@ -206,9 +206,8 @@ void test_checkout_nasty__dot_git_dot(void) + */ + void test_checkout_nasty__git_tilde1(void) + { +-#ifdef GIT_WIN32 + test_checkout_fails("refs/heads/git_tilde1", ".git/foobar"); +-#endif ++ test_checkout_fails("refs/heads/git_tilde1", "git~1/foobar"); + } + + /* A tree that contains an entry "git~2", when we have forced the short diff --git a/libgit2.spec b/libgit2.spec index c088aec..19415f6 100644 --- a/libgit2.spec +++ b/libgit2.spec @@ -1,12 +1,14 @@ Name: libgit2 Version: 0.27.8 -Release: 3 +Release: 4 Summary: portable, pure C implementation of the Git core methods License: GPLv2 with exceptions URL: https://libgit2.org Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz Patch0001: 0001-tests-don-t-run-buf-oom-on-32-bit-systems.patch +Patch0002: CVE-2020-12278.patch +Patch0003: CVE-2020-12279.patch BuildRequires: gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel BuildRequires: libssh2-devel openssl-devel python3 zlib-devel @@ -55,6 +57,9 @@ sed -i '/ADD_TEST(online/s/^/#/' tests/CMakeLists.txt %{_includedir}/git2* %changelog +* Fri Jul 23 2021 guoxiaoqi - 0.27.8-4 +- fix CVE-2020-12278 and CVE-2020-12279 + * Thu Jan 16 2020 yangjian - 0.27.8-3 - Change the Source to valid address