Am 15.08.2017 um 03:23 schrieb Jonathan Nieder: [...] > I'm happy to review patches for the git package. > > I generally feel that securing such old versions of packages is a bit > of a fool's errand, so I don't expect to spend time proactively fixing > security bugs there. That said, I am always happy reviewing debdiffs > and other patches, and perhaps I can learn something or get a chance > to share knowledge along the way.
Hi Jonathan, I have prepared a patch to address CVE-2017-1000117 in Wheezy. I would be happy if you could take a look at it. The original upstream patch did not really apply and some of the test files were missing but I believe the patch contains all necessary changes. I did run the test commands manually and repo names with dashes are correctly detected and denied now. P.S.: Is there a special reason why the Git team decided to split the patches between debian/diff and debian/patches? I found the repository layout quite confusing in the beginning. Regards, Markus
From: Markus Koschany <a...@debian.org>
Date: Fri, 11 Aug 2017 22:50:41 +0000
Subject: CVE-2017-1000117
Fix CVE-2017-1000117, arbitrary code execution issues via URLs
---
cache.h | 8 ++++++++
connect.c | 11 +++++++++++
path.c | 6 ++++++
4 files changed, 29 insertions(+)
diff --git a/cache.h b/cache.h
index 84b8229..eea30d0 100644
--- a/cache.h
+++ b/cache.h
@@ -766,6 +766,14 @@ int longest_ancestor_length(const char *path, const char *prefix_list);
char *strip_path_suffix(const char *path, const char *suffix);
int daemon_avoid_alias(const char *path);
int offset_1st_component(const char *path);
+/*
+ * Returns true iff "str" could be confused as a command-line option when
+ * passed to a sub-program like "ssh". Note that this has nothing to do with
+ * shell-quoting, which should be handled separately; we're assuming here that
+ * the string makes it verbatim to the sub-program.
+ */
+int looks_like_command_line_option(const char *str);
+
/* object replacement */
#define READ_SHA1_FILE_REPLACE 1
diff --git a/connect.c b/connect.c
index 912cdde..9658932 100644
--- a/connect.c
+++ b/connect.c
@@ -405,6 +405,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)
get_host_and_port(&host, &port);
+ if (looks_like_command_line_option(host))
+ die("strange hostname '%s' blocked", host);
+ if (looks_like_command_line_option(port))
+ die("strange port '%s' blocked", port);
+
argv = xmalloc(sizeof(*argv) * 4);
argv[0] = git_proxy_command;
argv[1] = host;
@@ -567,6 +572,9 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
conn = xcalloc(1, sizeof(*conn));
+ if (looks_like_command_line_option(path))
+ die("strange pathname '%s' blocked", path);
+
strbuf_init(&cmd, MAX_CMD_LEN);
strbuf_addstr(&cmd, prog);
strbuf_addch(&cmd, ' ');
@@ -579,6 +587,9 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
if (protocol == PROTO_SSH) {
const char *ssh = getenv("GIT_SSH");
int putty = ssh && strcasestr(ssh, "plink");
+
+ if (looks_like_command_line_option(host))
+ die("strange hostname '%s' blocked", host);
if (!ssh) ssh = "ssh";
*arg++ = ssh;
diff --git a/path.c b/path.c
index 6f2aa69..7a58c78 100644
--- a/path.c
+++ b/path.c
@@ -667,3 +667,9 @@ int offset_1st_component(const char *path)
return 2 + is_dir_sep(path[2]);
return is_dir_sep(path[0]);
}
+
+int looks_like_command_line_option(const char *str)
+{
+ return str && str[0] == '-';
+}
+
signature.asc
Description: OpenPGP digital signature
