[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053221: marked as done (bookworm-pu: package python-git/3.1.30-1+deb12u2)

Your message dated Sat, 07 Oct 2023 09:59:43 +0000
with message-id <E1qp463-00A4Jh-Pu@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1053221,
regarding bookworm-pu: package python-git/3.1.30-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1053221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053221
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]

Fixes CVE-2023-40267 which can lead to RCE in specific configurations
when a malicious URL is fed to GitPython.  For example, this affects
the F-Droid buildserver, which accepts git URLs from users via merge
requests.

[ Impact ]

Everything should work as before, except for unsafe URLs will now
throw an exception.  That can be overridden using function arguments.

[ Tests ]
Sylvain Beucler fixed this first in Debian LTS buster. Canonical then created and shipped a patch, and includes additions to the existing test suite to cover the issues in CVE-2023-40267. It is covered by the package's autopkgtest. I also ran the test suite locally on a bookworm machine. 

[ Risks ]
Risks are minimal since this patch has been shipped by Debian LTS and Ubuntu, and the original code has been released by upstream for a while now. The 
patch touches most of the core functionality, so bugs could break things.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patch is a refactoring of what upstream developed and shipped for CVE-2023-40267.
diff --git a/debian/changelog b/debian/changelog
index dfaadbc..9b9ce45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+python-git (3.1.30-1+deb12u1) stable; urgency=medium
+
+  [ Hans-Christoph Steiner ]
+  * Team upload.
+  * CVE-2023-40267: Include patch from Ubuntu (Closes: #1043503)
+
+  [ Fabian Toepfer ]
+  * SECURITY UPDATE: RCE due to improper user input validation
+    - debian/patches/CVE-2023-40267.patch: Block insecure non-multi
+      options in clone/clone_from.
+    - CVE-2023-40267
+
+ -- Hans-Christoph Steiner <hans@eds.org>  Fri, 29 Sep 2023 16:18:03 +0200
+
 python-git (3.1.30-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/patches/CVE-2023-40267.patch b/debian/patches/CVE-2023-40267.patch
new file mode 100644
index 0000000..b733fb2
--- /dev/null
+++ b/debian/patches/CVE-2023-40267.patch
@@ -0,0 +1,60 @@
+From 5c59e0d63da6180db8a0b349f0ad36fef42aceed Mon Sep 17 00:00:00 2001
+From: Sylvain Beucler <beuc@beuc.net>
+Date: Mon, 10 Jul 2023 16:10:10 +0200
+Subject: [PATCH] Block insecure non-multi options in clone/clone_from
+ Follow-up to #1521
+
+---
+ git/repo/base.py  |  2 ++
+ test/test_repo.py | 24 +++++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- python-git-3.1.30.orig/git/repo/base.py
++++ python-git-3.1.30/git/repo/base.py
+@@ -1188,6 +1188,8 @@ class Repo(object):
+ 
+         if not allow_unsafe_protocols:
+             Git.check_unsafe_protocols(str(url))
++        if not allow_unsafe_options:
++            Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=cls.unsafe_git_clone_options)
+         if not allow_unsafe_options and multi_options:
+             Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options)
+ 
+--- python-git-3.1.30.orig/test/test_repo.py
++++ python-git-3.1.30/test/test_repo.py
+@@ -281,6 +281,17 @@ class TestRepo(TestBase):
+                 rw_repo.clone(tmp_dir, multi_options=[unsafe_option])
+             assert not tmp_file.exists()
+ 
++        unsafe_options = [
++            {"upload-pack": f"touch {tmp_file}"},
++            {"u": f"touch {tmp_file}"},
++            {"config": "protocol.ext.allow=always"},
++            {"c": "protocol.ext.allow=always"},
++        ]
++        for unsafe_option in unsafe_options:
++            with self.assertRaises(UnsafeOptionError):
++                rw_repo.clone(tmp_dir, **unsafe_option)
++            assert not tmp_file.exists()
++
+     @with_rw_repo("HEAD")
+     def test_clone_unsafe_options_allowed(self, rw_repo):
+         tmp_dir = pathlib.Path(tempfile.mkdtemp())
+@@ -337,6 +348,17 @@ class TestRepo(TestBase):
+                 Repo.clone_from(rw_repo.working_dir, tmp_dir, multi_options=[unsafe_option])
+             assert not tmp_file.exists()
+ 
++        unsafe_options = [
++            {"upload-pack": f"touch {tmp_file}"},
++            {"u": f"touch {tmp_file}"},
++            {"config": "protocol.ext.allow=always"},
++            {"c": "protocol.ext.allow=always"},
++        ]
++        for unsafe_option in unsafe_options:
++            with self.assertRaises(UnsafeOptionError):
++                Repo.clone_from(rw_repo.working_dir, tmp_dir, **unsafe_option)
++            assert not tmp_file.exists()
++
+     @with_rw_repo("HEAD")
+     def test_clone_from_unsafe_options_allowed(self, rw_repo):
+         tmp_dir = pathlib.Path(tempfile.mkdtemp())
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..325d25b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-40267.patch

--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: