Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Loading branch information
Showing
3 changed files
with
589 additions
and
0 deletions.
There are no files selected for viewing
97 changes: 97 additions & 0 deletions
97
...ecipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001 | ||
| From: Narpat Mali <narpat.mali@windriver.com> | ||
| Date: Fri, 6 Jan 2023 14:13:10 +0000 | ||
| Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518 | ||
|
|
||
| Fix command injection | ||
| Add `--` in some commands that receive user input | ||
| and if interpreted as options could lead to remote | ||
| code execution (RCE). | ||
|
|
||
| There may be more commands that could benefit from `--` | ||
| so the input is never interpreted as an option, | ||
| but most of those aren't dangerous. | ||
|
|
||
| Fixed commands: | ||
|
|
||
| - push | ||
| - pull | ||
| - fetch | ||
| - clone/clone_from and friends | ||
| - archive (not sure if this one can be exploited, but it doesn't hurt | ||
| adding `--` :)) | ||
|
|
||
| For anyone using GitPython and exposing any of the GitPython methods to users, | ||
| make sure to always validate the input (like if starts with `--`). | ||
| And for anyone allowing users to pass arbitrary options, be aware | ||
| that some options may lead fo RCE, like `--exc`, `--upload-pack`, | ||
| `--receive-pack`, `--config` (#1516). | ||
|
|
||
| Ref #1517 | ||
|
|
||
| CVE: CVE-2022-24439 | ||
|
|
||
| Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518] | ||
|
|
||
| Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
| --- | ||
| git/remote.py | 6 +++--- | ||
| git/repo/base.py | 4 ++-- | ||
| 2 files changed, 5 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/git/remote.py b/git/remote.py | ||
| index 56f3c5b..59681bc 100644 | ||
| --- a/git/remote.py | ||
| +++ b/git/remote.py | ||
| @@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj): | ||
| else: | ||
| args = [refspec] | ||
|
|
||
| - proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False, | ||
| + proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, | ||
| universal_newlines=True, v=verbose, **kwargs) | ||
| res = self._get_fetch_info_from_stderr(proc, progress, | ||
| kill_after_timeout=kill_after_timeout) | ||
| @@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj): | ||
| # No argument refspec, then ensure the repo's config has a fetch refspec. | ||
| self._assert_refspec() | ||
| kwargs = add_progress(kwargs, self.repo.git, progress) | ||
| - proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True, | ||
| + proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, | ||
| universal_newlines=True, v=True, **kwargs) | ||
| res = self._get_fetch_info_from_stderr(proc, progress, | ||
| kill_after_timeout=kill_after_timeout) | ||
| @@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj): | ||
| If the operation fails completely, the length of the returned IterableList will | ||
| be 0.""" | ||
| kwargs = add_progress(kwargs, self.repo.git, progress) | ||
| - proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True, | ||
| + proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, | ||
| universal_newlines=True, | ||
| kill_after_timeout=kill_after_timeout, | ||
| **kwargs) | ||
| diff --git a/git/repo/base.py b/git/repo/base.py | ||
| index 7713c91..f14f929 100644 | ||
| --- a/git/repo/base.py | ||
| +++ b/git/repo/base.py | ||
| @@ -1072,7 +1072,7 @@ class Repo(object): | ||
| multi = None | ||
| if multi_options: | ||
| multi = shlex.split(' '.join(multi_options)) | ||
| - proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, | ||
| + proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, | ||
| v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) | ||
| if progress: | ||
| handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(), | ||
| @@ -1173,7 +1173,7 @@ class Repo(object): | ||
| if not isinstance(path, (tuple, list)): | ||
| path = [path] | ||
| # end assure paths is list | ||
| - self.git.archive(treeish, *path, **kwargs) | ||
| + self.git.archive("--", treeish, *path, **kwargs) | ||
| return self | ||
|
|
||
| def has_separate_working_tree(self) -> bool: | ||
| -- | ||
| 2.34.1 | ||
|
|
Oops, something went wrong.