Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=v2.32.6 2023-02-06T08:25:09Z 2023-02-06T08:25:09Z Johannes Schindelin johannes.schindelin@gmx.de 2023-02-06T08:25:09Z urn:sha1:2aedeff35fde779b03b57125b1f50f6c528bfbea Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2023-02-06T08:25:08Z Johannes Schindelin johannes.schindelin@gmx.de 2023-02-06T08:25:08Z urn:sha1:aeb93d7da2bee3fac5e858b8eb89fa480d8b692e * maint-2.31: Git 2.31.7 Git 2.30.8 apply: fix writing behind newly created symbolic links dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS clone: delay picking a transport until after get_repo_path() t5619: demonstrate clone_local() with ambiguous transport 2023-02-06T08:24:07Z Johannes Schindelin johannes.schindelin@gmx.de 2023-02-06T08:24:07Z urn:sha1:0bbcf951943eefbbfee2a7e08b7150bef5b60562 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2023-02-06T08:24:06Z Johannes Schindelin johannes.schindelin@gmx.de 2023-02-06T08:24:06Z urn:sha1:e14d6b8408a2a283e55ca64d2c77ac929ec77204 * maint-2.30: Git 2.30.8 apply: fix writing behind newly created symbolic links dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS clone: delay picking a transport until after get_repo_path() t5619: demonstrate clone_local() with ambiguous transport 2023-02-06T08:14:45Z Junio C Hamano gitster@pobox.com 2023-02-03T22:58:10Z urn:sha1:394a759d2b5f0a1a1908c820cf142f45cb78718c Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-06T08:12:16Z Junio C Hamano gitster@pobox.com 2023-02-03T22:57:27Z urn:sha1:a3033a68ac3886d44ee378784ae242f25afc9970 Fix a vulnerability (CVE-2023-23946) that allows crafted input to trick `git apply` into writing files outside of the working tree. * ps/apply-beyond-symlink: dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2023-02-06T08:09:14Z Taylor Blau me@ttaylorr.com 2023-01-25T19:58:38Z urn:sha1:2c9a4c731010685b86559c06637aeef2ac5ea06e Resolve a security vulnerability (CVE-2023-22490) where `clone_local()` is used in conjunction with non-local transports, leading to arbitrary path exfiltration. * tb/clone-local-symlinks: dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS clone: delay picking a transport until after get_repo_path() t5619: demonstrate clone_local() with ambiguous transport 2023-02-03T22:41:31Z Patrick Steinhardt ps@pks.im 2023-02-02T10:54:34Z urn:sha1:fade728df1221598f42d391cf377e9e84a32053f When writing files git-apply(1) initially makes sure that none of the files it is about to create are behind a symlink: ``` $ git init repo Initialized empty Git repository in /tmp/repo/.git/ $ cd repo/ $ ln -s dir symlink $ git apply - <<EOF diff --git a/symlink/file b/symlink/file new file mode 100644 index 0000000..e69de29 EOF error: affected file 'symlink/file' is beyond a symbolic link ``` This safety mechanism is crucial to ensure that we don't write outside of the repository's working directory. It can be fooled though when the patch that is being applied creates the symbolic link in the first place, which can lead to writing files in arbitrary locations. Fix this by checking whether the path we're about to create is beyond a symlink or not. Tightening these checks like this should be fine as we already have these precautions in Git as explained above. Ideally, we should update the check we do up-front before starting to reflect the computed changes to the working tree so that we catch this case as well, but as part of embargoed security work, adding an equivalent check just before we try to write out a file should serve us well as a reasonable first step. Digging back into history shows that this vulnerability has existed since at least Git v2.9.0. As Git v2.8.0 and older don't build on my system anymore I cannot tell whether older versions are affected, as well. Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com> Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-01-25T00:52:16Z Taylor Blau me@ttaylorr.com 2023-01-25T00:43:51Z urn:sha1:bffc762f87ae8d18c6001bf0044a76004245754c When using the dir_iterator API, we first stat(2) the base path, and then use that as a starting point to enumerate the directory's contents. If the directory contains symbolic links, we will immediately die() upon encountering them without the `FOLLOW_SYMLINKS` flag. The same is not true when resolving the top-level directory, though. As explained in a previous commit, this oversight in 6f054f9fb3 (builtin/clone.c: disallow `--local` clones with symlinks, 2022-07-28) can be used as an attack vector to include arbitrary files on a victim's filesystem from outside of the repository. Prevent resolving top-level symlinks unless the FOLLOW_SYMLINKS flag is given, which will cause clones of a repository with a symlink'd "$GIT_DIR/objects" directory to fail. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-01-25T00:52:16Z Taylor Blau me@ttaylorr.com 2023-01-25T00:43:48Z urn:sha1:cf8f6ce02a13f4d1979a53241afbee15a293fce9 In the previous commit, t5619 demonstrates an issue where two calls to `get_repo_path()` could trick Git into using its local clone mechanism in conjunction with a non-local transport. That sequence is: - the starting state is that the local path https:/example.com/foo is a symlink that points to ../../../.git/modules/foo. So it's dangling. - get_repo_path() sees that no such path exists (because it's dangling), and thus we do not canonicalize it into an absolute path - because we're using --separate-git-dir, we create .git/modules/foo. Now our symlink is no longer dangling! - we pass the url to transport_get(), which sees it as an https URL. - we call get_repo_path() again, on the url. This second call was introduced by f38aa83f9a (use local cloning if insteadOf makes a local URL, 2014-07-17). The idea is that we want to pull the url fresh from the remote.c API, because it will apply any aliases. And of course now it sees that there is a local file, which is a mismatch with the transport we already selected. The issue in the above sequence is calling `transport_get()` before deciding whether or not the repository is indeed local, and not passing in an absolute path if it is local. This is reminiscent of a similar bug report in [1], where it was suggested to perform the `insteadOf` lookup earlier. Taking that approach may not be as straightforward, since the intent is to store the original URL in the config, but to actually fetch from the insteadOf one, so conflating the two early on is a non-starter. Note: we pass the path returned by `get_repo_path(remote->url[0])`, which should be the same as `repo_name` (aside from any `insteadOf` rewrites). We *could* pass `absolute_pathdup()` of the same argument, which 86521acaca (Bring local clone's origin URL in line with that of a remote clone, 2008-09-01) indicates may differ depending on the presence of ".git/" for a non-bare repo. That matters for forming relative submodule paths, but doesn't matter for the second call, since we're just feeding it to the transport code, which is fine either way. [1]: https://lore.kernel.org/git/CAMoD=Bi41mB3QRn3JdZL-FGHs4w3C2jGpnJB-CqSndO7FMtfzA@mail.gmail.com/ Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>