File CVE-2024-32004.patch of Package git

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-32004.patch of Package git

commit f4aa8c8bb11dae6e769cd930565173808cbb69c8
Author: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Date:   Wed Apr 10 14:39:37 2024 +0200

fetch/clone: detect dubious ownership of local repositories
    
    When cloning from somebody else's repositories, it is possible that,
    say, the `upload-pack` command is overridden in the repository that is
    about to be cloned, which would then be run in the user's context who
    started the clone.
    
    To remind the user that this is a potentially unsafe operation, let's
    extend the ownership checks we have already established for regular
    gitdir discovery to extend also to local repositories that are about to
    be cloned.
    
    This protection extends also to file:// URLs.
    
    The fixes in this commit address CVE-2024-32004.
    
    Note: This commit does not touch the `fetch`/`clone` code directly, but
    instead the function used implicitly by both: `enter_repo()`. This
    function is also used by `git receive-pack` (i.e. pushes), by `git
    upload-archive`, by `git daemon` and by `git http-backend`. In setups
    that want to serve repositories owned by different users than the
    account running the service, this will require `safe.*` settings to be
    configured accordingly.
    
    Also note: there are tiny time windows where a time-of-check-time-of-use
    ("TOCTOU") race is possible. The real solution to those would be to work
    with `fstat()` and `openat()`. However, the latter function is not
    available on Windows (and would have to be emulated with rather
    expensive low-level `NtCreateFile()` calls), and the changes would be
    quite extensive, for my taste too extensive for the little gain given
    that embargoed releases need to pay extra attention to avoid introducing
    inadvertent bugs.
    
    Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

diff --git a/cache.h b/cache.h
index fcf49706ad..a46a3e4b6b 100644
--- a/cache.h
+++ b/cache.h
@@ -606,6 +606,18 @@ void set_git_work_tree(const char *tree);
 
 #define ALTERNATE_DB_ENVIRONMENT "GIT_ALTERNATE_OBJECT_DIRECTORIES"
 
+/*
+ * Check if a repository is safe and die if it is not, by verifying the
+ * ownership of the worktree (if any), the git directory, and the gitfile (if
+ * any).
+ *
+ * Exemptions for known-safe repositories can be added via `safe.directory`
+ * config settings; for non-bare repositories, their worktree needs to be
+ * added, for bare ones their git directory.
+ */
+void die_upon_dubious_ownership(const char *gitfile, const char *worktree,
+				const char *gitdir);
+
 void setup_work_tree(void);
 /*
  * Find the commondir and gitdir of the repository that contains the current
diff --git a/path.c b/path.c
index 492e17ad12..d61f70e87d 100644
--- a/path.c
+++ b/path.c
@@ -840,6 +840,7 @@ const char *enter_repo(const char *path, int strict)
 		if (!suffix[i])
 			return NULL;
 		gitfile = read_gitfile(used_path.buf);
+		die_upon_dubious_ownership(gitfile, NULL, used_path.buf);
 		if (gitfile) {
 			strbuf_reset(&used_path);
 			strbuf_addstr(&used_path, gitfile);
@@ -850,6 +851,7 @@ const char *enter_repo(const char *path, int strict)
 	}
 	else {
 		const char *gitfile = read_gitfile(path);
+		die_upon_dubious_ownership(gitfile, NULL, path);
 		if (gitfile)
 			path = gitfile;
 		if (chdir(path))

Places

File CVE-2024-32004.patch of Package git

Places