gnu: myrepos: Fix CVE-2018-7032.
* gnu/packages/version-control.scm (myrepos)[source]: Add patch. * gnu/packages/patches/myrepos-CVE-2018-7032.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
parent
307cdd665e
commit
aa8ac02944
|
@ -939,6 +939,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
|
||||
%D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch \
|
||||
%D%/packages/patches/mutt-store-references.patch \
|
||||
%D%/packages/patches/myrepos-CVE-2018-7032.patch \
|
||||
%D%/packages/patches/net-tools-bitrot.patch \
|
||||
%D%/packages/patches/netcdf-date-time.patch \
|
||||
%D%/packages/patches/netcdf-tst_h_par.patch \
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
http://source.myrepos.branchable.com/?p=source.git;a=patch;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8
|
||||
This can be removed with the next release. It was modified slightly to apply
|
||||
|
||||
From 40a3df21c73f1bb1b6915cc6fa503f50814664c8 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Wise <pabs3@bonedaddy.net>
|
||||
Date: Sun, 11 Feb 2018 21:57:49 +0800
|
||||
Subject: [PATCH] Mitigate vulnerabilities caused by some git remotes being
|
||||
able to execute code
|
||||
|
||||
Set GIT_PROTOCOL_FROM_USER=0 with git versions newer than 2.12.
|
||||
|
||||
Prevent remote websites from causing cloning of local repositories.
|
||||
|
||||
Manually whitelist known-safe protocols (http, https, git, ssh)
|
||||
when using git versions older than 2.12.
|
||||
|
||||
Fixes: CVE-2018-7032
|
||||
Fixes: https://bugs.debian.org/840014
|
||||
Suggestions-by: Jakub Wilk <jwilk@jwilk.net>
|
||||
Reported-by: Jakub Wilk <jwilk@jwilk.net>
|
||||
---
|
||||
webcheckout | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/webcheckout b/webcheckout
|
||||
index e98da5c..de497ba 100755
|
||||
--- a/webcheckout
|
||||
+++ b/webcheckout
|
||||
@@ -71,6 +71,16 @@ use Getopt::Long;
|
||||
use warnings;
|
||||
use strict;
|
||||
|
||||
+# Mitigate some git remote types being dangerous
|
||||
+my $git_unsafe = 1;
|
||||
+my $git_version = `git --version`;
|
||||
+$git_version =~ s{^git version }{};
|
||||
+my ($major, $minor) = split(/\./, $git_version);
|
||||
+if (int($major) >= 2 && int($minor) >= 12) {
|
||||
+ $ENV{GIT_PROTOCOL_FROM_USER} = 0;
|
||||
+ $git_unsafe = 0;
|
||||
+}
|
||||
+
|
||||
# What to download.
|
||||
my $url;
|
||||
|
||||
@@ -89,7 +99,17 @@ my $destdir;
|
||||
|
||||
# how to perform checkouts
|
||||
my %handlers=(
|
||||
- git => sub { doit("git", "clone", shift, $destdir) },
|
||||
- svn => sub { doit("svn", "checkout", shift, $destdir) },
|
||||
- bzr => sub { doit("bzr", "branch", shift, $destdir) },
|
||||
+ git => sub {
|
||||
+ my $git_url = shift;
|
||||
+ # Reject unsafe URLs with older versions of git
|
||||
+ # that do not already check the URL safety.
|
||||
+ if ($git_unsafe && $git_url !~ m{^(?:(?:https?|git|ssh):[^:]|(?:[-_.A-Za-z0-9]+@)?[-_.A-Za-z0-9]+:(?!:|//))}) {
|
||||
+ print STDERR "potentially unsafe git URL, may fail, touch local files or execute arbitrary code\n";
|
||||
+ return 1;
|
||||
+ }
|
||||
+ # Reject cloning local directories too, webcheckout is for remote repos
|
||||
+ doit(qw(git -c protocol.file.allow=user clone --), $git_url, $destdir)
|
||||
+ },
|
||||
+ svn => sub { doit(qw(svn checkout --), shift, $destdir) },
|
||||
+ bzr => sub { doit(qw(bzr branch --), shift, $destdir) },
|
||||
);
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1573,7 +1573,8 @@ modification time.")
|
|||
(commit version)))
|
||||
(file-name (string-append name "-" version "-checkout"))
|
||||
(sha256
|
||||
(base32 "10q7lpx152xnkk701fscn4dq99q9znnmv3bc2482khhjg7z8rps0"))))
|
||||
(base32 "10q7lpx152xnkk701fscn4dq99q9znnmv3bc2482khhjg7z8rps0"))
|
||||
(patches (search-patches "myrepos-CVE-2018-7032.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(inputs
|
||||
`(("perl" ,perl)))
|
||||
|
|
Loading…
Reference in New Issue