Bug#1053221: a new CVE popped up

To: 1053221@bugs.debian.org
Subject: Bug#1053221: a new CVE popped up
From: Hans-Christoph Steiner <hans@eds.org>
Date: Fri, 29 Sep 2023 21:37:29 +0200
Message-id: <[🔎] 00870ea4-c077-4ad7-a482-5509e5f542e0@eds.org>
Reply-to: Hans-Christoph Steiner <hans@eds.org>, 1053221@bugs.debian.org
References: <[🔎] 006fc4e0-e290-a3a1-b483-11f63dd5be8e@eds.org>


Control: retitle -1 bookworm-pu: package python-git/3.1.30-1+deb12u2

A new CVE and fix popped up right after I filled this. The patch is also fromupstream, and also has been shipped by the Debian LTS team.

diff --git a/debian/changelog b/debian/changelog
index dfaadbc..7d8905e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+python-git (3.1.30-1+deb12u2) stable; urgency=high
+
+  * Team upload.
+  * Fix CVE-2023-41040: Blind local file inclusion.
+
+ -- Hans-Christoph Steiner <hans@eds.org>  Fri, 29 Sep 2023 20:43:31 +0200
+
+python-git (3.1.30-1+deb12u1) stable; urgency=medium
+
+  [ Hans-Christoph Steiner ]
+  * Team upload.
+  * CVE-2023-40267: Include patch from Ubuntu (Closes: #1043503)
+
+  [ Fabian Toepfer ]
+  * SECURITY UPDATE: RCE due to improper user input validation
+    - debian/patches/CVE-2023-40267.patch: Block insecure non-multi
+      options in clone/clone_from.
+    - CVE-2023-40267
+
+ -- Hans-Christoph Steiner <hans@eds.org>  Fri, 29 Sep 2023 16:18:03 +0200
+
 python-git (3.1.30-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/patches/CVE-2023-40267.patch b/debian/patches/CVE-2023-40267.patch
new file mode 100644
index 0000000..b733fb2
--- /dev/null
+++ b/debian/patches/CVE-2023-40267.patch
@@ -0,0 +1,60 @@
+From 5c59e0d63da6180db8a0b349f0ad36fef42aceed Mon Sep 17 00:00:00 2001
+From: Sylvain Beucler <beuc@beuc.net>
+Date: Mon, 10 Jul 2023 16:10:10 +0200
+Subject: [PATCH] Block insecure non-multi options in clone/clone_from
+ Follow-up to #1521
+
+---
+ git/repo/base.py  |  2 ++
+ test/test_repo.py | 24 +++++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- python-git-3.1.30.orig/git/repo/base.py
++++ python-git-3.1.30/git/repo/base.py
+@@ -1188,6 +1188,8 @@ class Repo(object):
+ 
+         if not allow_unsafe_protocols:
+             Git.check_unsafe_protocols(str(url))
++        if not allow_unsafe_options:
++            Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=cls.unsafe_git_clone_options)
+         if not allow_unsafe_options and multi_options:
+             Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options)
+ 
+--- python-git-3.1.30.orig/test/test_repo.py
++++ python-git-3.1.30/test/test_repo.py
+@@ -281,6 +281,17 @@ class TestRepo(TestBase):
+                 rw_repo.clone(tmp_dir, multi_options=[unsafe_option])
+             assert not tmp_file.exists()
+ 
++        unsafe_options = [
++            {"upload-pack": f"touch {tmp_file}"},
++            {"u": f"touch {tmp_file}"},
++            {"config": "protocol.ext.allow=always"},
++            {"c": "protocol.ext.allow=always"},
++        ]
++        for unsafe_option in unsafe_options:
++            with self.assertRaises(UnsafeOptionError):
++                rw_repo.clone(tmp_dir, **unsafe_option)
++            assert not tmp_file.exists()
++
+     @with_rw_repo("HEAD")
+     def test_clone_unsafe_options_allowed(self, rw_repo):
+         tmp_dir = pathlib.Path(tempfile.mkdtemp())
+@@ -337,6 +348,17 @@ class TestRepo(TestBase):
+                 Repo.clone_from(rw_repo.working_dir, tmp_dir, multi_options=[unsafe_option])
+             assert not tmp_file.exists()
+ 
++        unsafe_options = [
++            {"upload-pack": f"touch {tmp_file}"},
++            {"u": f"touch {tmp_file}"},
++            {"config": "protocol.ext.allow=always"},
++            {"c": "protocol.ext.allow=always"},
++        ]
++        for unsafe_option in unsafe_options:
++            with self.assertRaises(UnsafeOptionError):
++                Repo.clone_from(rw_repo.working_dir, tmp_dir, **unsafe_option)
++            assert not tmp_file.exists()
++
+     @with_rw_repo("HEAD")
+     def test_clone_from_unsafe_options_allowed(self, rw_repo):
+         tmp_dir = pathlib.Path(tempfile.mkdtemp())
diff --git a/debian/patches/CVE-2023-41040.patch b/debian/patches/CVE-2023-41040.patch
new file mode 100644
index 0000000..2e194af
--- /dev/null
+++ b/debian/patches/CVE-2023-41040.patch
@@ -0,0 +1,69 @@
+From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
+Date: Tue, 5 Sep 2023 09:51:50 +0200
+Subject: Fix CVE-2023-41040
+
+This change adds a check during reference resolving to see if it
+contains an up-level reference ('..'). If it does, it raises an
+exception.
+
+This fixes CVE-2023-41040, which allows an attacker to access files
+outside the repository's directory.
+
+Origin: https://github.com/gitpython-developers/GitPython/commit/64ebb9fcdfbe48d5d61141a557691fd91f1e88d6
+Origin: https://github.com/gitpython-developers/GitPython/commit/65b8c6a2ccacdf26e751cd3bc3c5a7c9e5796b56
+Bug: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-41040
+---
+ git/refs/symbolic.py  |  2 ++
+ git/test/test_refs.py | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+--- a/git/refs/symbolic.py
++++ b/git/refs/symbolic.py
+@@ -168,6 +168,8 @@
+         """Return: (str(sha), str(target_ref_path)) if available, the sha the file at
+         rela_path points to, or None. target_ref_path is the reference we
+         point to, or None"""
++        if ".." in str(ref_path):
++            raise ValueError(f"Invalid reference '{ref_path}'")
+         tokens: Union[None, List[str], Tuple[str, str]] = None
+         repodir = _git_dir(repo, ref_path)
+         try:
+--- a/test/test_refs.py
++++ b/test/test_refs.py
+@@ -5,6 +5,7 @@
+ # the BSD License: http://www.opensource.org/licenses/bsd-license.php
+ 
+ from itertools import chain
++from pathlib import Path
+ 
+ from git import (
+     Reference,
+@@ -19,9 +20,11 @@
+ from git.objects.tag import TagObject
+ from test.lib import TestBase, with_rw_repo
+ from git.util import Actor
++from gitdb.exc import BadName
+ 
+ import git.refs as refs
+ import os.path as osp
++import tempfile
+ 
+ 
+ class TestRefs(TestBase):
+@@ -595,3 +598,15 @@
+ 
+     def test_reflog(self):
+         assert isinstance(self.rorepo.heads.master.log(), RefLog)
++
++    def test_refs_outside_repo(self):
++        # Create a file containing a valid reference outside the repository. Attempting
++        # to access it should raise an exception, due to it containing a parent directory
++        # reference ('..'). This tests for CVE-2023-41040.
++        git_dir = Path(self.rorepo.git_dir)
++        repo_parent_dir = git_dir.parent.parent
++        with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
++            ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
++            ref_file.flush()
++            ref_file_name = Path(ref_file.name).name
++            self.assertRaises(BadName, self.rorepo.commit, "../../%s" % ref_file_name)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1608dbe
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2023-40267.patch
+CVE-2023-41040.patch

Reply to:

References:
- Bug#1053221: bookworm-pu: package python-git/3.1.30-1+deb12u1
  - From: Hans-Christoph Steiner <hans@eds.org>

Prev by Date: Processed: a new CVE popped up
Next by Date: Bug#1051137: dgit 10.7+deb12u2 flagged for acceptance
Previous by thread: Processed: a new CVE popped up
Next by thread: Bug#1053239: bookworm-pu: package ghostscript/10.0.0~dfsg-11+deb12u2
Index(es):
- Date
- Thread