Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi
Please unblock package git
The update fixes CVE-2017-8386, which does not have a bug in the BTS.
The issue was covered with DSA-3848-1 in jessie, so please allow the
fix to go to stretch to avoid a regression.
Details:
https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html
http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01346.html
Changelog entry:
git (1:2.11.0-3) unstable; urgency=high
* Do not allow git helpers run via git-shell to launch a pager
(CVE-2017-8386).
-- Jonathan Nieder <jrnie...@gmail.com> Tue, 09 May 2017 16:23:17 -0700
unblock git/1:2.11.0-3
debdiff attached against the current version in stretch.
Regards,
Salvatore
diff -Nru git-2.11.0/debian/changelog git-2.11.0/debian/changelog
--- git-2.11.0/debian/changelog 2016-12-28 00:17:12.000000000 +0100
+++ git-2.11.0/debian/changelog 2017-05-10 01:23:17.000000000 +0200
@@ -1,3 +1,10 @@
+git (1:2.11.0-3) unstable; urgency=high
+
+ * Do not allow git helpers run via git-shell to launch a pager
+ (CVE-2017-8386).
+
+ -- Jonathan Nieder <jrnie...@gmail.com> Tue, 09 May 2017 16:23:17 -0700
+
git (1:2.11.0-2) unstable; urgency=medium
* gitweb: Depends: libcgi-pm-perl; Build-Depends: libcgi-pm-perl
diff -Nru git-2.11.0/debian/patches/series git-2.11.0/debian/patches/series
--- git-2.11.0/debian/patches/series 2016-12-28 00:10:31.000000000 +0100
+++ git-2.11.0/debian/patches/series 2017-05-10 01:22:54.000000000 +0200
@@ -2,3 +2,4 @@
Normalize-generated-asciidoc-timestamps-with-SOURCE_D.diff
git-gui-Sort-entries-in-optimized-tclIndex.diff
xdiff-Do-not-enable-XDL_FAST_HASH-by-default.diff
+shell-disallow-repo-names-beginning-with-dash.patch
diff -Nru
git-2.11.0/debian/patches/shell-disallow-repo-names-beginning-with-dash.patch
git-2.11.0/debian/patches/shell-disallow-repo-names-beginning-with-dash.patch
---
git-2.11.0/debian/patches/shell-disallow-repo-names-beginning-with-dash.patch
1970-01-01 01:00:00.000000000 +0100
+++
git-2.11.0/debian/patches/shell-disallow-repo-names-beginning-with-dash.patch
2017-05-10 01:20:52.000000000 +0200
@@ -0,0 +1,74 @@
+From 3ec804490a265f4c418a321428c12f3f18b7eff5 Mon Sep 17 00:00:00 2001
+From: Jeff King <p...@peff.net>
+Date: Sat, 29 Apr 2017 08:36:44 -0400
+Subject: [PATCH] shell: disallow repo names beginning with dash
+
+When a remote server uses git-shell, the client side will
+connect to it like:
+
+ ssh server "git-upload-pack 'foo.git'"
+
+and we literally exec ("git-upload-pack", "foo.git"). In
+early versions of upload-pack and receive-pack, we took a
+repository argument and nothing else. But over time they
+learned to accept dashed options. If the user passes a
+repository name that starts with a dash, the results are
+confusing at best (we complain of a bogus option instead of
+a non-existent repository) and malicious at worst (the user
+can start an interactive pager via "--help").
+
+We could pass "--" to the sub-process to make sure the
+user's argument is interpreted as a branch name. I.e.:
+
+ git-upload-pack -- -foo.git
+
+But adding "--" automatically would make us inconsistent
+with a normal shell (i.e., when git-shell is not in use),
+where "-foo.git" would still be an error. For that case, the
+client would have to specify the "--", but they can't do so
+reliably, as existing versions of git-shell do not allow
+more than a single argument.
+
+The simplest thing is to simply disallow "-" at the start of
+the repo name argument. This hasn't worked either with or
+without git-shell since version 1.0.0, and nobody has
+complained.
+
+Note that this patch just applies to do_generic_cmd(), which
+runs upload-pack, receive-pack, and upload-archive. There
+are two other types of commands that git-shell runs:
+
+ - do_cvs_cmd(), but this already restricts the argument to
+ be the literal string "server"
+
+ - admin-provided commands in the git-shell-commands
+ directory. We'll pass along arbitrary arguments there,
+ so these commands could have similar problems. But these
+ commands might actually understand dashed arguments, so
+ we cannot just block them here. It's up to the writer of
+ the commands to make sure they are safe. With great
+ power comes great responsibility.
+
+Reported-by: Timo Schmid <tsch...@ernw.de>
+Signed-off-by: Jeff King <p...@peff.net>
+Signed-off-by: Junio C Hamano <gits...@pobox.com>
+---
+ shell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shell.c b/shell.c
+index ace62e4b65..c3bf8ec38a 100644
+--- a/shell.c
++++ b/shell.c
+@@ -13,7 +13,7 @@ static int do_generic_cmd(const char *me, char *arg)
+ const char *my_argv[4];
+
+ setup_path();
+- if (!arg || !(arg = sq_dequote(arg)))
++ if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
+ die("bad argument");
+ if (!starts_with(me, "git-"))
+ die("bad command");
+--
+2.13.0.rc2.291.g57267f2277
+
