Unverified Commit 8e0b1729 by Patrick Steinhardt Committed by GitHub

Merge pull request #4834 from pks-t/pks/v0.27.5

Security release v0.27.5
parents 8b89f362 c590b41f
v0.27.5
-------
This is a security release fixing the following list of issues:
- Submodule URLs and paths with a leading "-" are now ignored.
This is due to the recently discovered CVE-2018-17456, which
can lead to arbitrary code execution in upstream git. While
libgit2 itself is not vulnerable, it can be used to inject
options in an implementation which performs a recursive clone
by executing an external command.
- When running repack while doing repo writes,
`packfile_load__cb()` could see some temporary files in the
directory that were bigger than the usual, and makes `memcmp`
overflow on the `p->pack_name` string. This issue was reported
and fixed by bisho.
- The configuration file parser used unbounded recursion to parse
multiline variables, which could lead to a stack overflow. The
issue was reported by the oss-fuzz project, issue 10048 and
fixed by Nelson Elhage.
- The fix to the unbounded recursion introduced a memory leak in
the config parser. While this leak was never in a public
release, the oss-fuzz project reported this as issue 10127. The
fix was implemented by Nelson Elhage and Patrick Steinhardt.
- When parsing "ok" packets received via the smart protocol, our
parsing code did not correctly verify the bounds of the
packets, which could result in a heap-buffer overflow. The
issue was reported by the oss-fuzz project, issue 9749 and
fixed by Patrick Steinhardt.
- The parsing code for the smart protocol has been tightened in
general, fixing heap-buffer overflows when parsing the packet
type as well as for "ACK" and "unpack" packets. The issue was
discovered and fixed by Patrick Steinhardt.
- Fixed potential integer overflows on platforms with 16 bit
integers when parsing packets for the smart protocol. The issue
was discovered and fixed by Patrick Steinhardt.
- Fixed potential NULL pointer dereference when parsing
configuration files which have "include.path" or
"includeIf..path" statements without a value.
v0.27.4
-------
......
......@@ -7,10 +7,10 @@
#ifndef INCLUDE_git_version_h__
#define INCLUDE_git_version_h__
#define LIBGIT2_VERSION "0.27.4"
#define LIBGIT2_VERSION "0.27.5"
#define LIBGIT2_VER_MAJOR 0
#define LIBGIT2_VER_MINOR 27
#define LIBGIT2_VER_REVISION 4
#define LIBGIT2_VER_REVISION 5
#define LIBGIT2_VER_PATCH 0
#define LIBGIT2_SOVERSION 27
......
......@@ -928,6 +928,9 @@ static int parse_include(git_config_parser *reader,
char *dir;
int result;
if (!file)
return 0;
if ((result = git_path_dirname_r(&path, reader->file->path)) < 0)
return result;
......@@ -1029,7 +1032,7 @@ static int parse_conditional_include(git_config_parser *reader,
size_t i;
int error = 0, matches;
if (!parse_data->repo)
if (!parse_data->repo || !file)
return 0;
condition = git__substrdup(section + strlen("includeIf."),
......
......@@ -315,49 +315,51 @@ done:
static int parse_multiline_variable(git_config_parser *reader, git_buf *value, int in_quotes)
{
char *line = NULL, *proc_line = NULL;
int quote_count;
bool multiline;
bool multiline = true;
/* Check that the next line exists */
git_parse_advance_line(&reader->ctx);
line = git__strndup(reader->ctx.line, reader->ctx.line_len);
if (line == NULL)
return -1;
while (multiline) {
char *line = NULL, *proc_line = NULL;
int error;
/* We've reached the end of the file, there is no continuation.
* (this is not an error).
*/
if (line[0] == '\0') {
git__free(line);
return 0;
}
/* Check that the next line exists */
git_parse_advance_line(&reader->ctx);
line = git__strndup(reader->ctx.line, reader->ctx.line_len);
GITERR_CHECK_ALLOC(line);
/*
* We've reached the end of the file, there is no continuation.
* (this is not an error).
*/
if (line[0] == '\0') {
error = 0;
goto out;
}
quote_count = strip_comments(line, !!in_quotes);
/* If it was just a comment, pretend it didn't exist */
quote_count = strip_comments(line, !!in_quotes);
if (line[0] == '\0')
goto next;
/* If it was just a comment, pretend it didn't exist */
if (line[0] == '\0') {
if ((error = unescape_line(&proc_line, &multiline,
line, in_quotes)) < 0)
goto out;
/* Add this line to the multiline var */
if ((error = git_buf_puts(value, proc_line)) < 0)
goto out;
next:
git__free(line);
return parse_multiline_variable(reader, value, quote_count);
/* TODO: unbounded recursion. This **could** be exploitable */
}
git__free(proc_line);
in_quotes = quote_count;
continue;
if (unescape_line(&proc_line, &multiline, line, in_quotes) < 0) {
out:
git__free(line);
return -1;
git__free(proc_line);
return error;
}
/* add this line to the multiline var */
git_buf_puts(value, proc_line);
git__free(line);
git__free(proc_line);
/*
* If we need to continue reading the next line, let's just
* keep putting stuff in the buffer
*/
if (multiline)
return parse_multiline_variable(reader, value, quote_count);
return 0;
}
......
......@@ -210,7 +210,7 @@ static int packfile_load__cb(void *data, git_buf *path)
for (i = 0; i < backend->packs.length; ++i) {
struct git_pack_file *p = git_vector_get(&backend->packs, i);
if (memcmp(p->pack_name, path_str, cmp_len) == 0)
if (strncmp(p->pack_name, path_str, cmp_len) == 0)
return 0;
}
......
......@@ -1813,6 +1813,14 @@ static int get_value(const char **out, git_config *cfg, git_buf *buf, const char
return error;
}
static bool looks_like_command_line_option(const char *s)
{
if (s && s[0] == '-')
return true;
return false;
}
static int submodule_read_config(git_submodule *sm, git_config *cfg)
{
git_buf key = GIT_BUF_INIT;
......@@ -1826,24 +1834,31 @@ static int submodule_read_config(git_submodule *sm, git_config *cfg)
if ((error = get_value(&value, cfg, &key, sm->name, "path")) == 0) {
in_config = 1;
/* We would warn here if we had that API */
if (!looks_like_command_line_option(value)) {
/*
* TODO: if case insensitive filesystem, then the following strcmp
* should be strcasecmp
*/
if (strcmp(sm->name, value) != 0) {
if (sm->path != sm->name)
git__free(sm->path);
sm->path = git__strdup(value);
GITERR_CHECK_ALLOC(sm->path);
if (strcmp(sm->name, value) != 0) {
if (sm->path != sm->name)
git__free(sm->path);
sm->path = git__strdup(value);
GITERR_CHECK_ALLOC(sm->path);
}
}
} else if (error != GIT_ENOTFOUND) {
goto cleanup;
}
if ((error = get_value(&value, cfg, &key, sm->name, "url")) == 0) {
in_config = 1;
sm->url = git__strdup(value);
GITERR_CHECK_ALLOC(sm->url);
/* We would warn here if we had that API */
if (!looks_like_command_line_option(value)) {
in_config = 1;
sm->url = git__strdup(value);
GITERR_CHECK_ALLOC(sm->url);
}
} else if (error != GIT_ENOTFOUND) {
goto cleanup;
}
......
......@@ -33,14 +33,14 @@
extern bool git_smart__ofs_delta_enabled;
enum git_pkt_type {
typedef enum {
GIT_PKT_CMD,
GIT_PKT_FLUSH,
GIT_PKT_REF,
GIT_PKT_HAVE,
GIT_PKT_ACK,
GIT_PKT_NAK,
GIT_PKT_PACK,
GIT_PKT_PACK__UNUSED,
GIT_PKT_COMMENT,
GIT_PKT_ERR,
GIT_PKT_DATA,
......@@ -48,7 +48,7 @@ enum git_pkt_type {
GIT_PKT_OK,
GIT_PKT_NG,
GIT_PKT_UNPACK,
};
} git_pkt_type;
/* Used for multi_ack and mutli_ack_detailed */
enum git_ack_status {
......@@ -60,11 +60,11 @@ enum git_ack_status {
/* This would be a flush pkt */
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
} git_pkt;
struct git_pkt_cmd {
enum git_pkt_type type;
git_pkt_type type;
char *cmd;
char *path;
char *host;
......@@ -72,50 +72,50 @@ struct git_pkt_cmd {
/* This is a pkt-line with some info in it */
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
git_remote_head head;
char *capabilities;
} git_pkt_ref;
/* Useful later */
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
git_oid oid;
enum git_ack_status status;
} git_pkt_ack;
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
char comment[GIT_FLEX_ARRAY];
} git_pkt_comment;
typedef struct {
enum git_pkt_type type;
int len;
git_pkt_type type;
size_t len;
char data[GIT_FLEX_ARRAY];
} git_pkt_data;
typedef git_pkt_data git_pkt_progress;
typedef struct {
enum git_pkt_type type;
int len;
git_pkt_type type;
size_t len;
char error[GIT_FLEX_ARRAY];
} git_pkt_err;
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
char *ref;
} git_pkt_ok;
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
char *ref;
char *msg;
} git_pkt_ng;
typedef struct {
enum git_pkt_type type;
git_pkt_type type;
int unpack_ok;
} git_pkt_unpack;
......@@ -189,7 +189,7 @@ int git_smart__get_push_stream(transport_smart *t, git_smart_subtransport_stream
int git_smart__update_heads(transport_smart *t, git_vector *symrefs);
/* smart_pkt.c */
int git_pkt_parse_line(git_pkt **head, const char *line, const char **out, size_t len);
int git_pkt_parse_line(git_pkt **head, const char **endptr, const char *line, size_t linelen);
int git_pkt_buffer_flush(git_buf *buf);
int git_pkt_send_flush(GIT_SOCKET s);
int git_pkt_buffer_done(git_buf *buf);
......
......@@ -44,7 +44,7 @@ int git_smart__store_refs(transport_smart *t, int flushes)
do {
if (buf->offset > 0)
error = git_pkt_parse_line(&pkt, buf->data, &line_end, buf->offset);
error = git_pkt_parse_line(&pkt, &line_end, buf->data, buf->offset);
else
error = GIT_EBUFS;
......@@ -209,15 +209,15 @@ int git_smart__detect_caps(git_pkt_ref *pkt, transport_smart_caps *caps, git_vec
return 0;
}
static int recv_pkt(git_pkt **out, gitno_buffer *buf)
static int recv_pkt(git_pkt **out, git_pkt_type *pkt_type, gitno_buffer *buf)
{
const char *ptr = buf->data, *line_end = ptr;
git_pkt *pkt = NULL;
int pkt_type, error = 0, ret;
int error = 0, ret;
do {
if (buf->offset > 0)
error = git_pkt_parse_line(&pkt, ptr, &line_end, buf->offset);
error = git_pkt_parse_line(&pkt, &line_end, ptr, buf->offset);
else
error = GIT_EBUFS;
......@@ -236,13 +236,14 @@ static int recv_pkt(git_pkt **out, gitno_buffer *buf)
} while (error);
gitno_consume(buf, line_end);
pkt_type = pkt->type;
if (pkt_type)
*pkt_type = pkt->type;
if (out != NULL)
*out = pkt;
else
git__free(pkt);
return pkt_type;
return error;
}
static int store_common(transport_smart *t)
......@@ -252,7 +253,7 @@ static int store_common(transport_smart *t)
int error;
do {
if ((error = recv_pkt(&pkt, buf)) < 0)
if ((error = recv_pkt(&pkt, NULL, buf)) < 0)
return error;
if (pkt->type == GIT_PKT_ACK) {
......@@ -320,7 +321,7 @@ static int wait_while_ack(gitno_buffer *buf)
while (1) {
git__free(pkt);
if ((error = recv_pkt((git_pkt **)&pkt, buf)) < 0)
if ((error = recv_pkt((git_pkt **)&pkt, NULL, buf)) < 0)
return error;
if (pkt->type == GIT_PKT_NAK)
......@@ -345,7 +346,8 @@ int git_smart__negotiate_fetch(git_transport *transport, git_repository *repo, c
gitno_buffer *buf = &t->buffer;
git_buf data = GIT_BUF_INIT;
git_revwalk *walk = NULL;
int error = -1, pkt_type;
int error = -1;
git_pkt_type pkt_type;
unsigned int i;
git_oid oid;
......@@ -395,16 +397,13 @@ int git_smart__negotiate_fetch(git_transport *transport, git_repository *repo, c
if ((error = store_common(t)) < 0)
goto on_error;
} else {
pkt_type = recv_pkt(NULL, buf);
if (pkt_type == GIT_PKT_ACK) {
error = recv_pkt(NULL, &pkt_type, buf);
if (error < 0) {
goto on_error;
} else if (pkt_type == GIT_PKT_ACK) {
break;
} else if (pkt_type == GIT_PKT_NAK) {
continue;
} else if (pkt_type < 0) {
/* recv_pkt returned an error */
error = pkt_type;
goto on_error;
} else {
giterr_set(GITERR_NET, "Unexpected pkt type");
error = -1;
......@@ -470,10 +469,10 @@ int git_smart__negotiate_fetch(git_transport *transport, git_repository *repo, c
/* Now let's eat up whatever the server gives us */
if (!t->caps.multi_ack && !t->caps.multi_ack_detailed) {
pkt_type = recv_pkt(NULL, buf);
error = recv_pkt(NULL, &pkt_type, buf);
if (pkt_type < 0) {
return pkt_type;
if (error < 0) {
return error;
} else if (pkt_type != GIT_PKT_ACK && pkt_type != GIT_PKT_NAK) {
giterr_set(GITERR_NET, "Unexpected pkt type");
return -1;
......@@ -594,7 +593,7 @@ int git_smart__download_pack(
goto done;
}
if ((error = recv_pkt(&pkt, buf)) >= 0) {
if ((error = recv_pkt(&pkt, NULL, buf)) >= 0) {
/* Check cancellation after network call */
if (t->cancelled.val) {
giterr_clear();
......@@ -752,7 +751,7 @@ static int add_push_report_sideband_pkt(git_push *push, git_pkt_data *data_pkt,
}
while (line_len > 0) {
error = git_pkt_parse_line(&pkt, line, &line_end, line_len);
error = git_pkt_parse_line(&pkt, &line_end, line, line_len);
if (error == GIT_EBUFS) {
/* Buffer the data when the inner packet is split
......@@ -795,8 +794,8 @@ static int parse_report(transport_smart *transport, git_push *push)
for (;;) {
if (buf->offset > 0)
error = git_pkt_parse_line(&pkt, buf->data,
&line_end, buf->offset);
error = git_pkt_parse_line(&pkt, &line_end,
buf->data, buf->offset);
else
error = GIT_EBUFS;
......
......@@ -35,6 +35,8 @@ void test_config_include__absolute(void)
cl_git_pass(git_config_get_string_buf(&buf, cfg, "foo.bar.baz"));
cl_assert_equal_s("huzzah", git_buf_cstr(&buf));
cl_git_pass(p_unlink("config-include-absolute"));
}
void test_config_include__homedir(void)
......@@ -48,6 +50,8 @@ void test_config_include__homedir(void)
cl_assert_equal_s("huzzah", git_buf_cstr(&buf));
cl_sandbox_set_search_path_defaults();
cl_git_pass(p_unlink("config-include-homedir"));
}
/* We need to pretend that the variables were defined where the file was included */
......@@ -66,6 +70,9 @@ void test_config_include__ordering(void)
git_buf_clear(&buf);
cl_git_pass(git_config_get_string_buf(&buf, cfg, "foo.bar.baz"));
cl_assert_equal_s("huzzah", git_buf_cstr(&buf));
cl_git_pass(p_unlink("included"));
cl_git_pass(p_unlink("including"));
}
/* We need to pretend that the variables were defined where the file was included */
......@@ -76,8 +83,18 @@ void test_config_include__depth(void)
cl_git_fail(git_config_open_ondisk(&cfg, "a"));
p_unlink("a");
p_unlink("b");
cl_git_pass(p_unlink("a"));
cl_git_pass(p_unlink("b"));
}
void test_config_include__empty_path_sanely_handled(void)
{
cl_git_mkfile("a", "[include]\npath");
cl_git_pass(git_config_open_ondisk(&cfg, "a"));
cl_git_pass(git_config_get_string_buf(&buf, cfg, "include.path"));
cl_assert_equal_s("", git_buf_cstr(&buf));
cl_git_pass(p_unlink("a"));
}
void test_config_include__missing(void)
......@@ -89,6 +106,8 @@ void test_config_include__missing(void)
cl_assert(giterr_last() == NULL);
cl_git_pass(git_config_get_string_buf(&buf, cfg, "foo.bar"));
cl_assert_equal_s("baz", git_buf_cstr(&buf));
cl_git_pass(p_unlink("including"));
}
void test_config_include__missing_homedir(void)
......@@ -103,6 +122,7 @@ void test_config_include__missing_homedir(void)
cl_assert_equal_s("baz", git_buf_cstr(&buf));
cl_sandbox_set_search_path_defaults();
cl_git_pass(p_unlink("including"));
}
#define replicate10(s) s s s s s s s s s s
......@@ -122,6 +142,10 @@ void test_config_include__depth2(void)
git_buf_clear(&buf);
cl_git_pass(git_config_get_string_buf(&buf, cfg, "foo.bar2"));
cl_assert_equal_s("baz2", git_buf_cstr(&buf));
cl_git_pass(p_unlink("top-level"));
cl_git_pass(p_unlink("middle"));
cl_git_pass(p_unlink("bottom"));
}
void test_config_include__removing_include_removes_values(void)
......@@ -132,6 +156,9 @@ void test_config_include__removing_include_removes_values(void)
cl_git_pass(git_config_open_ondisk(&cfg, "top-level"));
cl_git_mkfile("top-level", "");
cl_git_fail(git_config_get_string_buf(&buf, cfg, "foo.bar"));
cl_git_pass(p_unlink("top-level"));
cl_git_pass(p_unlink("included"));
}
void test_config_include__rewriting_include_refreshes_values(void)
......@@ -145,6 +172,10 @@ void test_config_include__rewriting_include_refreshes_values(void)
cl_git_fail(git_config_get_string_buf(&buf, cfg, "foo.bar"));
cl_git_pass(git_config_get_string_buf(&buf, cfg, "first.other"));
cl_assert_equal_s(buf.ptr, "value");
cl_git_pass(p_unlink("top-level"));
cl_git_pass(p_unlink("first"));
cl_git_pass(p_unlink("second"));
}
void test_config_include__included_variables_cannot_be_deleted(void)
......@@ -154,13 +185,20 @@ void test_config_include__included_variables_cannot_be_deleted(void)
cl_git_pass(git_config_open_ondisk(&cfg, "top-level"));
cl_git_fail(git_config_delete_entry(cfg, "foo.bar"));
cl_git_pass(p_unlink("top-level"));
cl_git_pass(p_unlink("included"));
}
void test_config_include__included_variables_cannot_be_modified(void)
{
cl_git_mkfile("top-level", "[include]\npath = included\n");
cl_git_mkfile("included", "[foo]\nbar = value");
cl_git_pass(git_config_open_ondisk(&cfg, "top-level"));
cl_git_fail(git_config_set_string(cfg, "foo.bar", "other-value"));
cl_git_pass(p_unlink("top-level"));
cl_git_pass(p_unlink("included"));
}
#include "clar_libgit2.h"
#include "posix.h"
#include "path.h"
#include "submodule_helpers.h"
#include "fileops.h"
#include "repository.h"
static git_repository *g_repo = NULL;
void test_submodule_inject_option__initialize(void)
{
g_repo = setup_fixture_submodule_simple();
}
void test_submodule_inject_option__cleanup(void)
{
cl_git_sandbox_cleanup();
}
static int find_naughty(git_submodule *sm, const char *name, void *payload)
{
int *foundit = (int *) payload;
GIT_UNUSED(sm);
if (!git__strcmp("naughty", name))
*foundit = true;
return 0;
}
void test_submodule_inject_option__url(void)
{
int foundit;
git_submodule *sm;
git_buf buf = GIT_BUF_INIT;
cl_git_pass(git_buf_joinpath(&buf, git_repository_workdir(g_repo), ".gitmodules"));
cl_git_rewritefile(buf.ptr,
"[submodule \"naughty\"]\n"
" path = testrepo\n"
" url = -u./payload\n");
git_buf_free(&buf);
/* We do want to find it, but with the appropriate field empty */
foundit = 0;
cl_git_pass(git_submodule_foreach(g_repo, find_naughty, &foundit));
cl_assert_equal_i(1, foundit);
cl_git_pass(git_submodule_lookup(&sm, g_repo, "naughty"));
cl_assert_equal_s("testrepo", git_submodule_path(sm));
cl_assert_equal_p(NULL, git_submodule_url(sm));
git_submodule_free(sm);
}
void test_submodule_inject_option__path(void)
{
int foundit;
git_submodule *sm;
git_buf buf = GIT_BUF_INIT;
cl_git_pass(git_buf_joinpath(&buf, git_repository_workdir(g_repo), ".gitmodules"));
cl_git_rewritefile(buf.ptr,
"[submodule \"naughty\"]\n"
" path = --something\n"
" url = blah.git\n");
git_buf_free(&buf);
/* We do want to find it, but with the appropriate field empty */
foundit = 0;
cl_git_pass(git_submodule_foreach(g_repo, find_naughty, &foundit));
cl_assert_equal_i(1, foundit);
cl_git_pass(git_submodule_lookup(&sm, g_repo, "naughty"));
cl_assert_equal_s("naughty", git_submodule_path(sm));
cl_assert_equal_s("blah.git", git_submodule_url(sm));
git_submodule_free(sm);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment