Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-cx3w-xqmc-84g5
release: v2.13.2
  • Loading branch information
bk2204 committed Jan 13, 2021
2 parents e896fc7 + bae0da1 commit fc66469
Show file tree
Hide file tree
Showing 10 changed files with 80 additions and 13 deletions.
24 changes: 24 additions & 0 deletions CHANGELOG.md
@@ -1,5 +1,29 @@
# Git LFS Changelog

## 2.13.2 (13 Jan 2020)

This release introduces a security fix for Windows systems, which has been
assigned CVE-2021-21237.

On Windows, if Git LFS operates on a malicious repository with a git.bat or
git.exe file in the current directory, that program is executed, permitting the
attacker to execute arbitrary code. This security problem does not affect Unix
systems. This is the same issue as CVE-2020-27955, but the fix for that issue
was incomplete and certain options can still cause the problem to occur.

This occurs because on Windows, Go includes (and prefers) the current directory
when the name of a command run does not contain a directory separator. This has
been solved by always using PATH to pre-resolve paths before handing them to Go.

We would like to extend a special thanks to the following open-source
contributors:

* @Ry0taK for reporting this to us responsibly

### Bugs

* Use subprocess for invoking all commands (@bk2204)

## 2.13.1 (11 Dec 2020)

This release fixes a bug in our build tooling that prevents our release process
Expand Down
3 changes: 1 addition & 2 deletions commands/commands.go
Expand Up @@ -7,7 +7,6 @@ import (
"log"
"net"
"os"
"os/exec"
"path/filepath"
"strings"
"sync"
Expand Down Expand Up @@ -282,7 +281,7 @@ func PipeMediaCommand(name string, args ...string) error {
}

func PipeCommand(name string, args ...string) error {
cmd := exec.Command(name, args...)
cmd := subprocess.ExecCommand(name, args...)
cmd.Stdin = os.Stdin
cmd.Stderr = os.Stderr
cmd.Stdout = os.Stdout
Expand Down
2 changes: 1 addition & 1 deletion config/version.go
Expand Up @@ -13,7 +13,7 @@ var (
)

const (
Version = "2.13.1"
Version = "2.13.2"
)

func init() {
Expand Down
5 changes: 3 additions & 2 deletions creds/creds.go
Expand Up @@ -11,6 +11,7 @@ import (

"github.com/git-lfs/git-lfs/config"
"github.com/git-lfs/git-lfs/errors"
"github.com/git-lfs/git-lfs/subprocess"
"github.com/rubyist/tracerx"
)

Expand Down Expand Up @@ -232,7 +233,7 @@ func (a *AskPassCredentialHelper) getFromProgram(valueType credValueType, u *url

// 'cmd' will run the GIT_ASKPASS (or core.askpass) command prompting
// for the desired valueType (`Username` or `Password`)
cmd := exec.Command(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
cmd := subprocess.ExecCommand(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
cmd.Stderr = &err
cmd.Stdout = &value

Expand Down Expand Up @@ -292,7 +293,7 @@ func (h *commandCredentialHelper) Approve(creds Creds) error {

func (h *commandCredentialHelper) exec(subcommand string, input Creds) (Creds, error) {
output := new(bytes.Buffer)
cmd := exec.Command("git", "credential", subcommand)
cmd := subprocess.ExecCommand("git", "credential", subcommand)
cmd.Stdin = bufferCreds(input)
cmd.Stdout = output
/*
Expand Down
6 changes: 6 additions & 0 deletions debian/changelog
@@ -1,3 +1,9 @@
git-lfs (2.13.2) stable; urgency=low

* New upstream version

-- brian m. carlson <bk2204@github.com> Wed, 13 Jan 2021 14:29:00 -0000

git-lfs (2.13.1) stable; urgency=low

* New upstream version
Expand Down
6 changes: 3 additions & 3 deletions lfs/extension.go
Expand Up @@ -8,10 +8,10 @@ import (
"hash"
"io"
"os"
"os/exec"
"strings"

"github.com/git-lfs/git-lfs/config"
"github.com/git-lfs/git-lfs/subprocess"
)

type pipeRequest struct {
Expand All @@ -33,7 +33,7 @@ type pipeExtResult struct {
}

type extCommand struct {
cmd *exec.Cmd
cmd *subprocess.Cmd
out io.WriteCloser
err *bytes.Buffer
hasher hash.Hash
Expand Down Expand Up @@ -75,7 +75,7 @@ func pipeExtensions(cfg *config.Configuration, request *pipeRequest) (response p
arg := strings.Replace(value, "%f", request.fileName, -1)
args = append(args, arg)
}
cmd := exec.Command(name, args...)
cmd := subprocess.ExecCommand(name, args...)
ec := &extCommand{cmd: cmd, result: &pipeExtResult{name: e.Name}}
extcmds = append(extcmds, ec)
}
Expand Down
3 changes: 1 addition & 2 deletions lfshttp/ssh.go
Expand Up @@ -4,7 +4,6 @@ import (
"bytes"
"encoding/json"
"fmt"
"os/exec"
"path/filepath"
"regexp"
"strings"
Expand Down Expand Up @@ -83,7 +82,7 @@ func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, err
}

exe, args := sshGetLFSExeAndArgs(c.os, c.git, e, method)
cmd := exec.Command(exe, args...)
cmd := subprocess.ExecCommand(exe, args...)

// Save stdout and stderr in separate buffers
var outbuf, errbuf bytes.Buffer
Expand Down
2 changes: 1 addition & 1 deletion rpm/SPECS/git-lfs.spec
@@ -1,5 +1,5 @@
Name: git-lfs
Version: 2.13.1
Version: 2.13.2
Release: 1%{?dist}
Summary: Git extension for versioning large files

Expand Down
38 changes: 38 additions & 0 deletions t/t-path.sh
Expand Up @@ -21,3 +21,41 @@ begin_test "does not look in current directory for git"
! grep -q 'exploit' output.log
)
end_test

begin_test "does not look in current directory for git with credential helper"
(
set -e

reponame="$(basename "$0" ".sh")-credentials"
setup_remote_repo "$reponame"

clone_repo "$reponame" credentials-1
export PATH="$(echo "$PATH" | sed -e "s/:.:/:/g" -e "s/::/:/g")"

printf "#!/bin/sh\necho exploit >&2\ntouch exploit\n" > git
chmod +x git || true
printf "echo exploit 1>&2\r\necho >exploit" > git.bat

git lfs track "*.dat"
printf abc > z.dat
git add z.dat
git add .gitattributes
git add git git.bat
git commit -m "Add files"

git push origin HEAD
cd ..

unset GIT_ASKPASS SSH_ASKPASS

# This needs to succeed. If it fails, that could be because our malicious
# "git" is broken but got invoked anyway.
GIT_LFS_SKIP_SMUDGE=1 clone_repo "$reponame" credentials-2

git lfs pull | tee output.log

! grep -q 'exploit' output.log
[ ! -f ../exploit ]
[ ! -f exploit ]
)
end_test
4 changes: 2 additions & 2 deletions versioninfo.json
Expand Up @@ -4,7 +4,7 @@
"FileVersion": {
"Major": 2,
"Minor": 13,
"Patch": 1,
"Patch": 2,
"Build": 0
}
},
Expand All @@ -13,7 +13,7 @@
"FileDescription": "Git LFS",
"LegalCopyright": "GitHub, Inc. and Git LFS contributors",
"ProductName": "Git Large File Storage (LFS)",
"ProductVersion": "2.13.1"
"ProductVersion": "2.13.2"
},
"IconPath": "script/windows-installer/git-lfs-logo.ico"
}

0 comments on commit fc66469

Please sign in to comment.