Skip to content

Commit

Permalink
python3-git: fix for CVE-2022-24439
Browse files Browse the repository at this point in the history
Source: poky
MR: 124663
Type: Integration
Disposition: Merged from poky
ChangeID: 0721360
Description:

All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
gitpython-developers/GitPython#1529
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521

(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)

Signed-off-by: Narpat Mali <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
Signed-off-by: Jeremy A. Puhlman <[email protected]>
  • Loading branch information
Narpat Mali authored and jpuhlman committed Jan 31, 2023
1 parent 6004148 commit 88f3649
Show file tree
Hide file tree
Showing 3 changed files with 589 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001
From: Narpat Mali <[email protected]>
Date: Fri, 6 Jan 2023 14:13:10 +0000
Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518

Fix command injection
Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).

There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.

Fixed commands:

- push
- pull
- fetch
- clone/clone_from and friends
- archive (not sure if this one can be exploited, but it doesn't hurt
adding `--` :))

For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (#1516).

Ref #1517

CVE: CVE-2022-24439

Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518]

Signed-off-by: Narpat Mali <[email protected]>
---
git/remote.py | 6 +++---
git/repo/base.py | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/git/remote.py b/git/remote.py
index 56f3c5b..59681bc 100644
--- a/git/remote.py
+++ b/git/remote.py
@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj):
else:
args = [refspec]

- proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False,
+ proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False,
universal_newlines=True, v=verbose, **kwargs)
res = self._get_fetch_info_from_stderr(proc, progress,
kill_after_timeout=kill_after_timeout)
@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj):
# No argument refspec, then ensure the repo's config has a fetch refspec.
self._assert_refspec()
kwargs = add_progress(kwargs, self.repo.git, progress)
- proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True,
+ proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True,
universal_newlines=True, v=True, **kwargs)
res = self._get_fetch_info_from_stderr(proc, progress,
kill_after_timeout=kill_after_timeout)
@@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj):
If the operation fails completely, the length of the returned IterableList will
be 0."""
kwargs = add_progress(kwargs, self.repo.git, progress)
- proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True,
+ proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True,
universal_newlines=True,
kill_after_timeout=kill_after_timeout,
**kwargs)
diff --git a/git/repo/base.py b/git/repo/base.py
index 7713c91..f14f929 100644
--- a/git/repo/base.py
+++ b/git/repo/base.py
@@ -1072,7 +1072,7 @@ class Repo(object):
multi = None
if multi_options:
multi = shlex.split(' '.join(multi_options))
- proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True,
+ proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True,
v=True, universal_newlines=True, **add_progress(kwargs, git, progress))
if progress:
handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(),
@@ -1173,7 +1173,7 @@ class Repo(object):
if not isinstance(path, (tuple, list)):
path = [path]
# end assure paths is list
- self.git.archive(treeish, *path, **kwargs)
+ self.git.archive("--", treeish, *path, **kwargs)
return self

def has_separate_working_tree(self) -> bool:
--
2.34.1

Loading

0 comments on commit 88f3649

Please sign in to comment.