Re: Wheezy update of git?

[Markus Koschany <apo@debian.org>]

Am 15.08.2017 um 03:23 schrieb Jonathan Nieder:
[...]
> I'm happy to review patches for the git package.
> 
> I generally feel that securing such old versions of packages is a bit
> of a fool's errand, so I don't expect to spend time proactively fixing
> security bugs there.  That said, I am always happy reviewing debdiffs
> and other patches, and perhaps I can learn something or get a chance
> to share knowledge along the way.

Hi Jonathan,

I have prepared a patch to address CVE-2017-1000117 in Wheezy. I would
be happy if you could take a look at it. The original upstream patch did
not really apply and some of the test files were missing but I believe
the patch contains all necessary changes. I did run the test commands
manually and repo names with dashes are correctly detected and denied now.

P.S.: Is there a special reason why the Git team decided to split the
patches between debian/diff and debian/patches? I found the repository
layout quite confusing in the beginning.

Regards,

Markus

From: Markus Koschany <apo@debian.org>
Date: Fri, 11 Aug 2017 22:50:41 +0000
Subject: CVE-2017-1000117

Fix CVE-2017-1000117, arbitrary code execution issues via URLs
---
 cache.h                |  8 ++++++++
 connect.c              | 11 +++++++++++
 path.c                 |  6 ++++++
 4 files changed, 29 insertions(+)

diff --git a/cache.h b/cache.h
index 84b8229..eea30d0 100644
--- a/cache.h
+++ b/cache.h
@@ -766,6 +766,14 @@ int longest_ancestor_length(const char *path, const char *prefix_list);
 char *strip_path_suffix(const char *path, const char *suffix);
 int daemon_avoid_alias(const char *path);
 int offset_1st_component(const char *path);
+/*
+ * Returns true iff "str" could be confused as a command-line option when
+ * passed to a sub-program like "ssh". Note that this has nothing to do with
+ * shell-quoting, which should be handled separately; we're assuming here that
+ * the string makes it verbatim to the sub-program.
+ */
+int looks_like_command_line_option(const char *str);
+
 
 /* object replacement */
 #define READ_SHA1_FILE_REPLACE 1
diff --git a/connect.c b/connect.c
index 912cdde..9658932 100644
--- a/connect.c
+++ b/connect.c
@@ -405,6 +405,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)
 
 	get_host_and_port(&host, &port);
 
+	if (looks_like_command_line_option(host))
+		die("strange hostname '%s' blocked", host);
+	if (looks_like_command_line_option(port))
+		die("strange port '%s' blocked", port);
+
 	argv = xmalloc(sizeof(*argv) * 4);
 	argv[0] = git_proxy_command;
 	argv[1] = host;
@@ -567,6 +572,9 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
 
 	conn = xcalloc(1, sizeof(*conn));
 
+	if (looks_like_command_line_option(path))
+		die("strange pathname '%s' blocked", path);
+
 	strbuf_init(&cmd, MAX_CMD_LEN);
 	strbuf_addstr(&cmd, prog);
 	strbuf_addch(&cmd, ' ');
@@ -579,6 +587,9 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
 	if (protocol == PROTO_SSH) {
 		const char *ssh = getenv("GIT_SSH");
 		int putty = ssh && strcasestr(ssh, "plink");
+
+			if (looks_like_command_line_option(host))
+				die("strange hostname '%s' blocked", host);
 		if (!ssh) ssh = "ssh";
 
 		*arg++ = ssh;
diff --git a/path.c b/path.c
index 6f2aa69..7a58c78 100644
--- a/path.c
+++ b/path.c
@@ -667,3 +667,9 @@ int offset_1st_component(const char *path)
 		return 2 + is_dir_sep(path[2]);
 	return is_dir_sep(path[0]);
 }
+
+int looks_like_command_line_option(const char *str)
+{
+	return str && str[0] == '-';
+}
+

Attachment: signature.asc
Description: OpenPGP digital signature