Bug#1053221: bookworm-pu: package python-git/3.1.30-1+deb12u1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
Fixes CVE-2023-40267 which can lead to RCE in specific configurations
when a malicious URL is fed to GitPython. For example, this affects
the F-Droid buildserver, which accepts git URLs from users via merge
requests.
[ Impact ]
Everything should work as before, except for unsafe URLs will now
throw an exception. That can be overridden using function arguments.
[ Tests ]
Sylvain Beucler fixed this first in Debian LTS buster. Canonical then created
and shipped a patch, and includes additions to the existing test suite to cover
the issues in CVE-2023-40267. It is covered by the package's autopkgtest. I
also ran the test suite locally on a bookworm machine.
[ Risks ]
Risks are minimal since this patch has been shipped by Debian LTS and Ubuntu,
and the original code has been released by upstream for a while now. The
patch touches most of the core functionality, so bugs could break things.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch is a refactoring of what upstream developed and shipped for
CVE-2023-40267.diff --git a/debian/changelog b/debian/changelog
index dfaadbc..9b9ce45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+python-git (3.1.30-1+deb12u1) stable; urgency=medium
+
+ [ Hans-Christoph Steiner ]
+ * Team upload.
+ * CVE-2023-40267: Include patch from Ubuntu (Closes: #1043503)
+
+ [ Fabian Toepfer ]
+ * SECURITY UPDATE: RCE due to improper user input validation
+ - debian/patches/CVE-2023-40267.patch: Block insecure non-multi
+ options in clone/clone_from.
+ - CVE-2023-40267
+
+ -- Hans-Christoph Steiner <hans@eds.org> Fri, 29 Sep 2023 16:18:03 +0200
+
python-git (3.1.30-1) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/CVE-2023-40267.patch b/debian/patches/CVE-2023-40267.patch
new file mode 100644
index 0000000..b733fb2
--- /dev/null
+++ b/debian/patches/CVE-2023-40267.patch
@@ -0,0 +1,60 @@
+From 5c59e0d63da6180db8a0b349f0ad36fef42aceed Mon Sep 17 00:00:00 2001
+From: Sylvain Beucler <beuc@beuc.net>
+Date: Mon, 10 Jul 2023 16:10:10 +0200
+Subject: [PATCH] Block insecure non-multi options in clone/clone_from
+ Follow-up to #1521
+
+---
+ git/repo/base.py | 2 ++
+ test/test_repo.py | 24 +++++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- python-git-3.1.30.orig/git/repo/base.py
++++ python-git-3.1.30/git/repo/base.py
+@@ -1188,6 +1188,8 @@ class Repo(object):
+
+ if not allow_unsafe_protocols:
+ Git.check_unsafe_protocols(str(url))
++ if not allow_unsafe_options:
++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=cls.unsafe_git_clone_options)
+ if not allow_unsafe_options and multi_options:
+ Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options)
+
+--- python-git-3.1.30.orig/test/test_repo.py
++++ python-git-3.1.30/test/test_repo.py
+@@ -281,6 +281,17 @@ class TestRepo(TestBase):
+ rw_repo.clone(tmp_dir, multi_options=[unsafe_option])
+ assert not tmp_file.exists()
+
++ unsafe_options = [
++ {"upload-pack": f"touch {tmp_file}"},
++ {"u": f"touch {tmp_file}"},
++ {"config": "protocol.ext.allow=always"},
++ {"c": "protocol.ext.allow=always"},
++ ]
++ for unsafe_option in unsafe_options:
++ with self.assertRaises(UnsafeOptionError):
++ rw_repo.clone(tmp_dir, **unsafe_option)
++ assert not tmp_file.exists()
++
+ @with_rw_repo("HEAD")
+ def test_clone_unsafe_options_allowed(self, rw_repo):
+ tmp_dir = pathlib.Path(tempfile.mkdtemp())
+@@ -337,6 +348,17 @@ class TestRepo(TestBase):
+ Repo.clone_from(rw_repo.working_dir, tmp_dir, multi_options=[unsafe_option])
+ assert not tmp_file.exists()
+
++ unsafe_options = [
++ {"upload-pack": f"touch {tmp_file}"},
++ {"u": f"touch {tmp_file}"},
++ {"config": "protocol.ext.allow=always"},
++ {"c": "protocol.ext.allow=always"},
++ ]
++ for unsafe_option in unsafe_options:
++ with self.assertRaises(UnsafeOptionError):
++ Repo.clone_from(rw_repo.working_dir, tmp_dir, **unsafe_option)
++ assert not tmp_file.exists()
++
+ @with_rw_repo("HEAD")
+ def test_clone_from_unsafe_options_allowed(self, rw_repo):
+ tmp_dir = pathlib.Path(tempfile.mkdtemp())
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..325d25b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-40267.patch
Reply to: