aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2018-05-13 20:39:36 +0300
committerEfraim Flashner <efraim@flashner.co.il>2018-05-13 20:39:36 +0300
commitaa8ac0294421d465f60e18c8271f971ec8407a95 (patch)
tree692651c885a0719342a8687882ca8cbe74773a6d /gnu/packages
parent307cdd665ec216dff4b4209b14ccc6f44778f581 (diff)
downloadgnu-guix-aa8ac0294421d465f60e18c8271f971ec8407a95.tar
gnu-guix-aa8ac0294421d465f60e18c8271f971ec8407a95.tar.gz
gnu: myrepos: Fix CVE-2018-7032.
* gnu/packages/version-control.scm (myrepos)[source]: Add patch. * gnu/packages/patches/myrepos-CVE-2018-7032.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/patches/myrepos-CVE-2018-7032.patch69
-rw-r--r--gnu/packages/version-control.scm3
2 files changed, 71 insertions, 1 deletions
diff --git a/gnu/packages/patches/myrepos-CVE-2018-7032.patch b/gnu/packages/patches/myrepos-CVE-2018-7032.patch
new file mode 100644
index 0000000000..ce9493e5f9
--- /dev/null
+++ b/gnu/packages/patches/myrepos-CVE-2018-7032.patch
@@ -0,0 +1,69 @@
+http://source.myrepos.branchable.com/?p=source.git;a=patch;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8
+This can be removed with the next release. It was modified slightly to apply
+
+From 40a3df21c73f1bb1b6915cc6fa503f50814664c8 Mon Sep 17 00:00:00 2001
+From: Paul Wise <pabs3@bonedaddy.net>
+Date: Sun, 11 Feb 2018 21:57:49 +0800
+Subject: [PATCH] Mitigate vulnerabilities caused by some git remotes being
+ able to execute code
+
+Set GIT_PROTOCOL_FROM_USER=0 with git versions newer than 2.12.
+
+Prevent remote websites from causing cloning of local repositories.
+
+Manually whitelist known-safe protocols (http, https, git, ssh)
+when using git versions older than 2.12.
+
+Fixes: CVE-2018-7032
+Fixes: https://bugs.debian.org/840014
+Suggestions-by: Jakub Wilk <jwilk@jwilk.net>
+Reported-by: Jakub Wilk <jwilk@jwilk.net>
+---
+ webcheckout | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/webcheckout b/webcheckout
+index e98da5c..de497ba 100755
+--- a/webcheckout
++++ b/webcheckout
+@@ -71,6 +71,16 @@ use Getopt::Long;
+ use warnings;
+ use strict;
+
++# Mitigate some git remote types being dangerous
++my $git_unsafe = 1;
++my $git_version = `git --version`;
++$git_version =~ s{^git version }{};
++my ($major, $minor) = split(/\./, $git_version);
++if (int($major) >= 2 && int($minor) >= 12) {
++ $ENV{GIT_PROTOCOL_FROM_USER} = 0;
++ $git_unsafe = 0;
++}
++
+ # What to download.
+ my $url;
+
+@@ -89,7 +99,17 @@ my $destdir;
+
+ # how to perform checkouts
+ my %handlers=(
+- git => sub { doit("git", "clone", shift, $destdir) },
+- svn => sub { doit("svn", "checkout", shift, $destdir) },
+- bzr => sub { doit("bzr", "branch", shift, $destdir) },
++ git => sub {
++ my $git_url = shift;
++ # Reject unsafe URLs with older versions of git
++ # that do not already check the URL safety.
++ if ($git_unsafe && $git_url !~ m{^(?:(?:https?|git|ssh):[^:]|(?:[-_.A-Za-z0-9]+@)?[-_.A-Za-z0-9]+:(?!:|//))}) {
++ print STDERR "potentially unsafe git URL, may fail, touch local files or execute arbitrary code\n";
++ return 1;
++ }
++ # Reject cloning local directories too, webcheckout is for remote repos
++ doit(qw(git -c protocol.file.allow=user clone --), $git_url, $destdir)
++ },
++ svn => sub { doit(qw(svn checkout --), shift, $destdir) },
++ bzr => sub { doit(qw(bzr branch --), shift, $destdir) },
+ );
+--
+2.11.0
+
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 848660bdd7..b41529d4f8 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -1573,7 +1573,8 @@ modification time.")
(commit version)))
(file-name (string-append name "-" version "-checkout"))
(sha256
- (base32 "10q7lpx152xnkk701fscn4dq99q9znnmv3bc2482khhjg7z8rps0"))))
+ (base32 "10q7lpx152xnkk701fscn4dq99q9znnmv3bc2482khhjg7z8rps0"))
+ (patches (search-patches "myrepos-CVE-2018-7032.patch"))))
(build-system gnu-build-system)
(inputs
`(("perl" ,perl)))