From 3b0bf2704980b1ed6018622bdf5377ec22289688 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlo=20Marcelo=20Arenas=20Bel=C3=B3n?= Date: Tue, 10 May 2022 12:35:29 -0700 Subject: [PATCH 1/9] setup: tighten ownership checks post CVE-2022-24765 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 8959555cee7 (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02), adds a function to check for ownership of repositories using a directory that is representative of it, and ways to add exempt a specific repository from said check if needed, but that check didn't account for owership of the gitdir, or (when used) the gitfile that points to that gitdir. An attacker could create a git repository in a directory that they can write into but that is owned by the victim to work around the fix that was introduced with CVE-2022-24765 to potentially run code as the victim. An example that could result in privilege escalation to root in *NIX would be to set a repository in a shared tmp directory by doing (for example): $ git -C /tmp init To avoid that, extend the ensure_valid_ownership function to be able to check for all three paths. This will have the side effect of tripling the number of stat() calls when a repository is detected, but the effect is expected to be likely minimal, as it is done only once during the directory walk in which Git looks for a repository. Additionally make sure to resolve the gitfile (if one was used) to find the relevant gitdir for checking. While at it change the message printed on failure so it is clear we are referring to the repository by its worktree (or gitdir if it is bare) and not to a specific directory. Helped-by: Junio C Hamano Helped-by: Johannes Schindelin Signed-off-by: Carlo Marcelo Arenas Belón --- setup.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 60 insertions(+), 11 deletions(-) diff --git a/setup.c b/setup.c index aad9ace0af..9dcecda65b 100644 --- a/setup.c +++ b/setup.c @@ -1054,14 +1054,32 @@ static int safe_directory_cb(const char *key, const char *value, void *d) return 0; } -static int ensure_valid_ownership(const char *path) +/* + * Check if a repository is safe, by verifying the ownership of the + * worktree (if any), the git directory, and the gitfile (if any). + * + * Exemptions for known-safe repositories can be added via `safe.directory` + * config settings; for non-bare repositories, their worktree needs to be + * added, for bare ones their git directory. + */ +static int ensure_valid_ownership(const char *gitfile, + const char *worktree, const char *gitdir) { - struct safe_directory_data data = { .path = path }; + struct safe_directory_data data = { + .path = worktree ? worktree : gitdir + }; if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) && - is_path_owned_by_current_user(path)) + (!gitfile || is_path_owned_by_current_user(gitfile)) && + (!worktree || is_path_owned_by_current_user(worktree)) && + (!gitdir || is_path_owned_by_current_user(gitdir))) return 1; + /* + * data.path is the "path" that identifies the repository and it is + * constant regardless of what failed above. data.is_safe should be + * initialized to false, and might be changed by the callback. + */ read_very_early_config(safe_directory_cb, &data); return data.is_safe; @@ -1149,6 +1167,8 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, current_device = get_device_or_die(dir->buf, NULL, 0); for (;;) { int offset = dir->len, error_code = 0; + char *gitdir_path = NULL; + char *gitfile = NULL; if (offset > min_offset) strbuf_addch(dir, '/'); @@ -1159,21 +1179,50 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, if (die_on_error || error_code == READ_GITFILE_ERR_NOT_A_FILE) { /* NEEDSWORK: fail if .git is not file nor dir */ - if (is_git_directory(dir->buf)) + if (is_git_directory(dir->buf)) { gitdirenv = DEFAULT_GIT_DIR_ENVIRONMENT; + gitdir_path = xstrdup(dir->buf); + } } else if (error_code != READ_GITFILE_ERR_STAT_FAILED) return GIT_DIR_INVALID_GITFILE; - } + } else + gitfile = xstrdup(dir->buf); + /* + * Earlier, we tentatively added DEFAULT_GIT_DIR_ENVIRONMENT + * to check that directory for a repository. + * Now trim that tentative addition away, because we want to + * focus on the real directory we are in. + */ strbuf_setlen(dir, offset); if (gitdirenv) { - if (!ensure_valid_ownership(dir->buf)) - return GIT_DIR_INVALID_OWNERSHIP; - strbuf_addstr(gitdir, gitdirenv); - return GIT_DIR_DISCOVERED; + enum discovery_result ret; + + if (ensure_valid_ownership(gitfile, + dir->buf, + (gitdir_path ? gitdir_path : gitdirenv))) { + strbuf_addstr(gitdir, gitdirenv); + ret = GIT_DIR_DISCOVERED; + } else + ret = GIT_DIR_INVALID_OWNERSHIP; + + /* + * Earlier, during discovery, we might have allocated + * string copies for gitdir_path or gitfile so make + * sure we don't leak by freeing them now, before + * leaving the loop and function. + * + * Note: gitdirenv will be non-NULL whenever these are + * allocated, therefore we need not take care of releasing + * them outside of this conditional block. + */ + free(gitdir_path); + free(gitfile); + + return ret; } if (is_git_directory(dir->buf)) { - if (!ensure_valid_ownership(dir->buf)) + if (!ensure_valid_ownership(NULL, NULL, dir->buf)) return GIT_DIR_INVALID_OWNERSHIP; strbuf_addstr(gitdir, "."); return GIT_DIR_BARE; @@ -1306,7 +1355,7 @@ const char *setup_git_directory_gently(int *nongit_ok) struct strbuf quoted = STRBUF_INIT; sq_quote_buf_pretty("ed, dir.buf); - die(_("unsafe repository ('%s' is owned by someone else)\n" + die(_("detected dubious ownership in repository at '%s'\n" "To add an exception for this directory, call:\n" "\n" "\tgit config --global --add safe.directory %s"), From 88b7be68a4bf9f39b84ed438d8d776c0d752b316 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Fri, 27 May 2022 23:38:36 +0200 Subject: [PATCH 2/9] Git 2.30.5 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.30.5.txt | 12 ++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.30.5.txt diff --git a/Documentation/RelNotes/2.30.5.txt b/Documentation/RelNotes/2.30.5.txt new file mode 100644 index 0000000000..5191cab3ae --- /dev/null +++ b/Documentation/RelNotes/2.30.5.txt @@ -0,0 +1,12 @@ +Git v2.30.5 Release Notes +========================= + +This release contains minor fix-ups for the changes that went into +Git 2.30.3 and 2.30.4, addressing CVE-2022-29187. + + * The safety check that verifies a safe ownership of the Git + worktree is now extended to also cover the ownership of the Git + directory (and the `.git` file, if there is any). + +Carlo Marcelo Arenas Belón (1): + setup: tighten ownership checks post CVE-2022-24765 diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index a927c77478..39d0c99da6 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.30.4 +DEF_VER=v2.30.5 LF=' ' diff --git a/RelNotes b/RelNotes index 4dcee84642..406d23844b 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.30.4.txt \ No newline at end of file +Documentation/RelNotes/2.30.5.txt \ No newline at end of file From 5b1c746c352e85211770e5cbd26a433b3affd3b4 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:25 +0200 Subject: [PATCH 3/9] Git 2.31.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.31.4.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.31.4.txt diff --git a/Documentation/RelNotes/2.31.4.txt b/Documentation/RelNotes/2.31.4.txt new file mode 100644 index 0000000000..97a91fd07a --- /dev/null +++ b/Documentation/RelNotes/2.31.4.txt @@ -0,0 +1,6 @@ +Git v2.31.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5 to address +the security issue CVE-2022-29187; see the release notes for that +version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index da853679b7..2126fe83f8 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.31.3 +DEF_VER=v2.31.4 LF=' ' diff --git a/RelNotes b/RelNotes index c3d6893a92..7ef30395e1 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.31.3.txt \ No newline at end of file +Documentation/RelNotes/2.31.4.txt \ No newline at end of file From 656d9a24f624039831bc2e865f4cc42f393caf70 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:32 +0200 Subject: [PATCH 4/9] Git 2.32.3 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.32.3.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.32.3.txt diff --git a/Documentation/RelNotes/2.32.3.txt b/Documentation/RelNotes/2.32.3.txt new file mode 100644 index 0000000000..583fabe684 --- /dev/null +++ b/Documentation/RelNotes/2.32.3.txt @@ -0,0 +1,6 @@ +Git v2.32.3 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5 and +v2.31.4 to address the security issue CVE-2022-29187; see the +release notes for these versions for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index e7efe58866..c8237bb5e9 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.32.2 +DEF_VER=v2.32.3 LF=' ' diff --git a/RelNotes b/RelNotes index 4ac68388c3..3bfb2b6297 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.32.2.txt \ No newline at end of file +Documentation/RelNotes/2.32.3.txt \ No newline at end of file From 80c525c4acaf6072697d4bd2a3a5137f91665b55 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:41 +0200 Subject: [PATCH 5/9] Git 2.33.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.33.4.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.33.4.txt diff --git a/Documentation/RelNotes/2.33.4.txt b/Documentation/RelNotes/2.33.4.txt new file mode 100644 index 0000000000..a145cc25de --- /dev/null +++ b/Documentation/RelNotes/2.33.4.txt @@ -0,0 +1,6 @@ +Git v2.33.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5, v2.31.4 +and v2.32.3 to address the security issue CVE-2022-29187; see +the release notes for these versions for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 86a3a2870c..473746835b 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.33.3 +DEF_VER=v2.33.4 LF=' ' diff --git a/RelNotes b/RelNotes index 899139d9ec..6cb6ec27dc 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.33.3.txt \ No newline at end of file +Documentation/RelNotes/2.33.4.txt \ No newline at end of file From f2eed22852b0a21556f0c9f56732913eba553e62 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:49 +0200 Subject: [PATCH 6/9] Git 2.34.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.34.4.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.34.4.txt diff --git a/Documentation/RelNotes/2.34.4.txt b/Documentation/RelNotes/2.34.4.txt new file mode 100644 index 0000000000..2a6b223403 --- /dev/null +++ b/Documentation/RelNotes/2.34.4.txt @@ -0,0 +1,6 @@ +Git v2.34.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5, v2.31.4, +v2.32.3 and v2.33.4 to address the security issue CVE-2022-29187; +see the release notes for these versions for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 3ae76105c8..9e2cf5d43d 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.34.3 +DEF_VER=v2.34.4 LF=' ' diff --git a/RelNotes b/RelNotes index 1065723912..9041e1b0fe 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.34.3.txt \ No newline at end of file +Documentation/RelNotes/2.34.4.txt \ No newline at end of file From 359da658ae32d9a7e5e93ac173fc221352b62917 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:36:05 +0200 Subject: [PATCH 7/9] Git 2.35.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.35.4.txt | 7 +++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.35.4.txt diff --git a/Documentation/RelNotes/2.35.4.txt b/Documentation/RelNotes/2.35.4.txt new file mode 100644 index 0000000000..47abd5ad45 --- /dev/null +++ b/Documentation/RelNotes/2.35.4.txt @@ -0,0 +1,7 @@ +Git v2.35.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5, +v2.31.4, v2.32.3, v2.33.4 and v2.34.4 to address the security +issue CVE-2022-29187; see the release notes for these versions +for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 002b1d7af4..676238effd 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.35.3 +DEF_VER=v2.35.4 LF=' ' diff --git a/RelNotes b/RelNotes index e271ea5958..b1d7b2b7a8 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.35.3.txt \ No newline at end of file +Documentation/RelNotes/2.35.4.txt \ No newline at end of file From fd59c5bdeeb50f18e86f36cbf7a0b82554621690 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:36:14 +0200 Subject: [PATCH 8/9] Git 2.36.2 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.36.2.txt | 14 ++++++++++---- GIT-VERSION-GEN | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/Documentation/RelNotes/2.36.2.txt b/Documentation/RelNotes/2.36.2.txt index ba5d5acd07..958f5b4102 100644 --- a/Documentation/RelNotes/2.36.2.txt +++ b/Documentation/RelNotes/2.36.2.txt @@ -1,10 +1,16 @@ Git v2.36.2 Release Notes ========================= -This maintenance release is primarily to merge down updates to the -build and CI procedures from the 'master' front, in order to ensure -that we can cut healthy maintenance releases in the future. It also -contains a handful of small and trivially-correct bugfixes. +This release merges up the fixes that appear in v2.30.5, v2.31.4, +v2.32.3, v2.33.4, v2.34.4 and v2.35.4 to address the security +issue CVE-2022-29187; see the release notes for these versions +for details. + +Apart from that, this maintenance release is primarily to merge down +updates to the build and CI procedures from the 'master' front, in +order to ensure that we can cut healthy maintenance releases in the +future. It also contains a handful of small and trivially-correct +bugfixes. Fixes since v2.36.1 ------------------- diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index c1e8552d27..12f26c83d6 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.36.1 +DEF_VER=v2.36.2 LF=' ' From bbea4dcf42b28eb7ce64a6306cdde875ae5d09ca Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Mon, 4 Jul 2022 13:45:08 -0700 Subject: [PATCH 9/9] Git 2.37.1 Signed-off-by: Junio C Hamano --- Documentation/RelNotes/2.37.1.txt | 17 +++++++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.37.1.txt diff --git a/Documentation/RelNotes/2.37.1.txt b/Documentation/RelNotes/2.37.1.txt new file mode 100644 index 0000000000..84609327d1 --- /dev/null +++ b/Documentation/RelNotes/2.37.1.txt @@ -0,0 +1,17 @@ +Git 2.37.1 Release Notes +======================== + +This release merges up the fixes that appear in v2.30.5, v2.31.4, +v2.32.3, v2.33.4, v2.34.4, v2.35.4, and v2.36.2 to address the +security issue CVE-2022-29187; see the release notes for these +versions for details. + +Fixes since Git 2.37 +-------------------- + + * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't + correctly record a removed file to the index, which is an old + regression but has become widely known because the C version has + become the default in the latest release. + + * Fix for CVS-2022-29187. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index b210b306b7..1b2c580ecc 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.37.0 +DEF_VER=v2.37.1 LF=' ' diff --git a/RelNotes b/RelNotes index 51144b6e83..a55e1d4eef 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.37.0.txt \ No newline at end of file +Documentation/RelNotes/2.37.1.txt \ No newline at end of file