Skip to content
Permalink
Browse files

Merge pull request from GHSA-cx3w-xqmc-84g5

release: v2.13.2
  • Loading branch information
bk2204 committed Jan 13, 2021
2 parents e896fc7 + bae0da1 commit fc664697ed2c2081ee9633010de0a7f9debea72a
Showing with 80 additions and 13 deletions.
  1. +24 −0 CHANGELOG.md
  2. +1 −2 commands/commands.go
  3. +1 −1 config/version.go
  4. +3 −2 creds/creds.go
  5. +6 −0 debian/changelog
  6. +3 −3 lfs/extension.go
  7. +1 −2 lfshttp/ssh.go
  8. +1 −1 rpm/SPECS/git-lfs.spec
  9. +38 −0 t/t-path.sh
  10. +2 −2 versioninfo.json
@@ -1,5 +1,29 @@
# Git LFS Changelog

## 2.13.2 (13 Jan 2020)

This release introduces a security fix for Windows systems, which has been
assigned CVE-2021-21237.

On Windows, if Git LFS operates on a malicious repository with a git.bat or
git.exe file in the current directory, that program is executed, permitting the
attacker to execute arbitrary code. This security problem does not affect Unix
systems. This is the same issue as CVE-2020-27955, but the fix for that issue
was incomplete and certain options can still cause the problem to occur.

This occurs because on Windows, Go includes (and prefers) the current directory
when the name of a command run does not contain a directory separator. This has
been solved by always using PATH to pre-resolve paths before handing them to Go.

We would like to extend a special thanks to the following open-source
contributors:

* @Ry0taK for reporting this to us responsibly

### Bugs

* Use subprocess for invoking all commands (@bk2204)

## 2.13.1 (11 Dec 2020)

This release fixes a bug in our build tooling that prevents our release process
@@ -7,7 +7,6 @@ import (
"log"
"net"
"os"
"os/exec"
"path/filepath"
"strings"
"sync"
@@ -282,7 +281,7 @@ func PipeMediaCommand(name string, args ...string) error {
}

func PipeCommand(name string, args ...string) error {
cmd := exec.Command(name, args...)
cmd := subprocess.ExecCommand(name, args...)
cmd.Stdin = os.Stdin
cmd.Stderr = os.Stderr
cmd.Stdout = os.Stdout
@@ -13,7 +13,7 @@ var (
)

const (
Version = "2.13.1"
Version = "2.13.2"
)

func init() {
@@ -11,6 +11,7 @@ import (

"github.com/git-lfs/git-lfs/config"
"github.com/git-lfs/git-lfs/errors"
"github.com/git-lfs/git-lfs/subprocess"
"github.com/rubyist/tracerx"
)

@@ -232,7 +233,7 @@ func (a *AskPassCredentialHelper) getFromProgram(valueType credValueType, u *url

// 'cmd' will run the GIT_ASKPASS (or core.askpass) command prompting
// for the desired valueType (`Username` or `Password`)
cmd := exec.Command(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
cmd := subprocess.ExecCommand(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
cmd.Stderr = &err
cmd.Stdout = &value

@@ -292,7 +293,7 @@ func (h *commandCredentialHelper) Approve(creds Creds) error {

func (h *commandCredentialHelper) exec(subcommand string, input Creds) (Creds, error) {
output := new(bytes.Buffer)
cmd := exec.Command("git", "credential", subcommand)
cmd := subprocess.ExecCommand("git", "credential", subcommand)
cmd.Stdin = bufferCreds(input)
cmd.Stdout = output
/*
@@ -1,3 +1,9 @@
git-lfs (2.13.2) stable; urgency=low

* New upstream version

-- brian m. carlson <bk2204@github.com> Wed, 13 Jan 2021 14:29:00 -0000

git-lfs (2.13.1) stable; urgency=low

* New upstream version
@@ -8,10 +8,10 @@ import (
"hash"
"io"
"os"
"os/exec"
"strings"

"github.com/git-lfs/git-lfs/config"
"github.com/git-lfs/git-lfs/subprocess"
)

type pipeRequest struct {
@@ -33,7 +33,7 @@ type pipeExtResult struct {
}

type extCommand struct {
cmd *exec.Cmd
cmd *subprocess.Cmd
out io.WriteCloser
err *bytes.Buffer
hasher hash.Hash
@@ -75,7 +75,7 @@ func pipeExtensions(cfg *config.Configuration, request *pipeRequest) (response p
arg := strings.Replace(value, "%f", request.fileName, -1)
args = append(args, arg)
}
cmd := exec.Command(name, args...)
cmd := subprocess.ExecCommand(name, args...)
ec := &extCommand{cmd: cmd, result: &pipeExtResult{name: e.Name}}
extcmds = append(extcmds, ec)
}
@@ -4,7 +4,6 @@ import (
"bytes"
"encoding/json"
"fmt"
"os/exec"
"path/filepath"
"regexp"
"strings"
@@ -83,7 +82,7 @@ func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, err
}

exe, args := sshGetLFSExeAndArgs(c.os, c.git, e, method)
cmd := exec.Command(exe, args...)
cmd := subprocess.ExecCommand(exe, args...)

// Save stdout and stderr in separate buffers
var outbuf, errbuf bytes.Buffer
@@ -1,5 +1,5 @@
Name: git-lfs
Version: 2.13.1
Version: 2.13.2
Release: 1%{?dist}
Summary: Git extension for versioning large files

@@ -21,3 +21,41 @@ begin_test "does not look in current directory for git"
! grep -q 'exploit' output.log
)
end_test

begin_test "does not look in current directory for git with credential helper"
(
set -e

reponame="$(basename "$0" ".sh")-credentials"
setup_remote_repo "$reponame"

clone_repo "$reponame" credentials-1
export PATH="$(echo "$PATH" | sed -e "s/:.:/:/g" -e "s/::/:/g")"

printf "#!/bin/sh\necho exploit >&2\ntouch exploit\n" > git
chmod +x git || true
printf "echo exploit 1>&2\r\necho >exploit" > git.bat

git lfs track "*.dat"
printf abc > z.dat
git add z.dat
git add .gitattributes
git add git git.bat
git commit -m "Add files"

git push origin HEAD
cd ..

unset GIT_ASKPASS SSH_ASKPASS

# This needs to succeed. If it fails, that could be because our malicious
# "git" is broken but got invoked anyway.
GIT_LFS_SKIP_SMUDGE=1 clone_repo "$reponame" credentials-2

git lfs pull | tee output.log

! grep -q 'exploit' output.log
[ ! -f ../exploit ]
[ ! -f exploit ]
)
end_test
@@ -4,7 +4,7 @@
"FileVersion": {
"Major": 2,
"Minor": 13,
"Patch": 1,
"Patch": 2,
"Build": 0
}
},
@@ -13,7 +13,7 @@
"FileDescription": "Git LFS",
"LegalCopyright": "GitHub, Inc. and Git LFS contributors",
"ProductName": "Git Large File Storage (LFS)",
"ProductVersion": "2.13.1"
"ProductVersion": "2.13.2"
},
"IconPath": "script/windows-installer/git-lfs-logo.ico"
}

0 comments on commit fc66469

Please sign in to comment.