Bug#1053221: bookworm-pu: package python-git/3.1.30-1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1053221: bookworm-pu: package python-git/3.1.30-1+deb12u1
From: Hans-Christoph Steiner <hans@eds.org>
Date: Fri, 29 Sep 2023 17:08:03 +0200
Message-id: <[🔎] 006fc4e0-e290-a3a1-b483-11f63dd5be8e@eds.org>
Reply-to: Hans-Christoph Steiner <hans@eds.org>, 1053221@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]

Fixes CVE-2023-40267 which can lead to RCE in specific configurations
when a malicious URL is fed to GitPython.  For example, this affects
the F-Droid buildserver, which accepts git URLs from users via merge
requests.

[ Impact ]

Everything should work as before, except for unsafe URLs will now
throw an exception.  That can be overridden using function arguments.

[ Tests ]

Sylvain Beucler fixed this first in Debian LTS buster. Canonical then createdand shipped a patch, and includes additions to the existing test suite to coverthe issues in CVE-2023-40267. It is covered by the package's autopkgtest. Ialso ran the test suite locally on a bookworm machine.


[ Risks ]

Risks are minimal since this patch has been shipped by Debian LTS and Ubuntu,and the original code has been released by upstream for a while now. The

patch touches most of the core functionality, so bugs could break things.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The patch is a refactoring of what upstream developed and shipped forCVE-2023-40267.

diff --git a/debian/changelog b/debian/changelog
index dfaadbc..9b9ce45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+python-git (3.1.30-1+deb12u1) stable; urgency=medium
+
+  [ Hans-Christoph Steiner ]
+  * Team upload.
+  * CVE-2023-40267: Include patch from Ubuntu (Closes: #1043503)
+
+  [ Fabian Toepfer ]
+  * SECURITY UPDATE: RCE due to improper user input validation
+    - debian/patches/CVE-2023-40267.patch: Block insecure non-multi
+      options in clone/clone_from.
+    - CVE-2023-40267
+
+ -- Hans-Christoph Steiner <hans@eds.org>  Fri, 29 Sep 2023 16:18:03 +0200
+
 python-git (3.1.30-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/patches/CVE-2023-40267.patch b/debian/patches/CVE-2023-40267.patch
new file mode 100644
index 0000000..b733fb2
--- /dev/null
+++ b/debian/patches/CVE-2023-40267.patch
@@ -0,0 +1,60 @@
+From 5c59e0d63da6180db8a0b349f0ad36fef42aceed Mon Sep 17 00:00:00 2001
+From: Sylvain Beucler <beuc@beuc.net>
+Date: Mon, 10 Jul 2023 16:10:10 +0200
+Subject: [PATCH] Block insecure non-multi options in clone/clone_from
+ Follow-up to #1521
+
+---
+ git/repo/base.py  |  2 ++
+ test/test_repo.py | 24 +++++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- python-git-3.1.30.orig/git/repo/base.py
++++ python-git-3.1.30/git/repo/base.py
+@@ -1188,6 +1188,8 @@ class Repo(object):
+ 
+         if not allow_unsafe_protocols:
+             Git.check_unsafe_protocols(str(url))
++        if not allow_unsafe_options:
++            Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=cls.unsafe_git_clone_options)
+         if not allow_unsafe_options and multi_options:
+             Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options)
+ 
+--- python-git-3.1.30.orig/test/test_repo.py
++++ python-git-3.1.30/test/test_repo.py
+@@ -281,6 +281,17 @@ class TestRepo(TestBase):
+                 rw_repo.clone(tmp_dir, multi_options=[unsafe_option])
+             assert not tmp_file.exists()
+ 
++        unsafe_options = [
++            {"upload-pack": f"touch {tmp_file}"},
++            {"u": f"touch {tmp_file}"},
++            {"config": "protocol.ext.allow=always"},
++            {"c": "protocol.ext.allow=always"},
++        ]
++        for unsafe_option in unsafe_options:
++            with self.assertRaises(UnsafeOptionError):
++                rw_repo.clone(tmp_dir, **unsafe_option)
++            assert not tmp_file.exists()
++
+     @with_rw_repo("HEAD")
+     def test_clone_unsafe_options_allowed(self, rw_repo):
+         tmp_dir = pathlib.Path(tempfile.mkdtemp())
+@@ -337,6 +348,17 @@ class TestRepo(TestBase):
+                 Repo.clone_from(rw_repo.working_dir, tmp_dir, multi_options=[unsafe_option])
+             assert not tmp_file.exists()
+ 
++        unsafe_options = [
++            {"upload-pack": f"touch {tmp_file}"},
++            {"u": f"touch {tmp_file}"},
++            {"config": "protocol.ext.allow=always"},
++            {"c": "protocol.ext.allow=always"},
++        ]
++        for unsafe_option in unsafe_options:
++            with self.assertRaises(UnsafeOptionError):
++                Repo.clone_from(rw_repo.working_dir, tmp_dir, **unsafe_option)
++            assert not tmp_file.exists()
++
+     @with_rw_repo("HEAD")
+     def test_clone_from_unsafe_options_allowed(self, rw_repo):
+         tmp_dir = pathlib.Path(tempfile.mkdtemp())
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..325d25b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-40267.patch

Reply to:

Follow-Ups:
- Processed: a new CVE popped up
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1053221: a new CVE popped up
  - From: Hans-Christoph Steiner <hans@eds.org>

Prev by Date: Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Next by thread: Processed: a new CVE popped up
Index(es):
- Date
- Thread