diff --git a/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch b/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch new file mode 100644 index 0000000..72cd990 --- /dev/null +++ b/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch @@ -0,0 +1,199 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 4EF60C433EF + for ; Mon, 10 Jan 2022 21:19:15 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1343852AbiAJVTN (ORCPT ); + Mon, 10 Jan 2022 16:19:13 -0500 +Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45246 "EHLO + lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S240793AbiAJVTJ (ORCPT ); + Mon, 10 Jan 2022 16:19:09 -0500 +Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) + by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D57E9C06173F + for ; Mon, 10 Jan 2022 13:19:08 -0800 (PST) +Received: by mail-io1-xd32.google.com with SMTP id h23so19409080iol.11 + for ; Mon, 10 Jan 2022 13:19:08 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=ttaylorr-com.20210112.gappssmtp.com; s=20210112; + h=date:from:to:cc:subject:message-id:references:mime-version + :content-disposition:in-reply-to; + bh=FTrKkNrsW7oFf2weWFjBUCeY4AzPYNFulnRyLyCVrk8=; + b=z+XM3REbAP5x9W9gK6pBjzm9BHigJ0mkHwdcjCN9VQSWk7aIMxsxwVauiC4+Y15Py4 + e4kEWLSahtCS62N2410rXTW5F4IiCjrtU+iZztr+gz2IfLpV70e3CO2WaIRGNPRJm2g0 + Gl1+Y32Gk2jkmZ7w/ue8yng54F8FHEvg5joJFj19bMoWF0kd16ny2U+SjCfurbJu7Qpm + 7qMJtWStXIt8SBVaYdqvMjIylr3zDEvOolaSUBxXZYmD51XjQJXFL4DaYTvT6RIRsBZF + gcdEfTKQ3MdH7Dr8AbiaERh3vNXQ9oKb1cHL7aodKSAS6/NpSSvKMxmW+7n4yICL7hsM + b8pQ== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20210112; + h=x-gm-message-state:date:from:to:cc:subject:message-id:references + :mime-version:content-disposition:in-reply-to; + bh=FTrKkNrsW7oFf2weWFjBUCeY4AzPYNFulnRyLyCVrk8=; + b=YyvJy1w+MELo/HMukbimTZO7p+9odhEtnD9F2+GB68WqNtHOSqLj+FNJKrl2cWUWPM + Oec5Mop17BPiDQ5du2gbK9mEJMae9wPoqUhJijzgbcfyH8nAHG8XgBD8PYhzcdaKiwZW + 1/rhWRpyqsAmRKRnXBk+qXOydG6sbeJqYIDiHxHV/MWXzXK8L1tw0TN6x+ovUHJ8tOuu + ZStLc+f7IV9gr3soTs3R4sloQluxitDfe4RReEpc0HDcPxG0V91aiT4MxULStqcCqUbz + I1S0PJMehkw5RIZvrW8GpPjBGFao6X30hvxBN1Skq/nq1rUbbIwat343WUGUC/LogIAV + Wd5A== +X-Gm-Message-State: AOAM533g0jVnFyUCJsyN7y07jhNAhfATafqgniWHcVni8kH1UQ43T/Cd + 76bWXlo05ji/88mEupUArvoHr60/63d4qA== +X-Google-Smtp-Source: ABdhPJwh3a+flp+ajvTa6YBvQY7iqlxqOUdkFKcfZ3ahJTw9JXb3F4kXsRKSfwjHXJ9SQm7cyHyn1Q== +X-Received: by 2002:a05:6638:3009:: with SMTP id r9mr861119jak.262.1641849548063; + Mon, 10 Jan 2022 13:19:08 -0800 (PST) +Received: from localhost (104-178-186-189.lightspeed.milwwi.sbcglobal.net. [104.178.186.189]) + by smtp.gmail.com with ESMTPSA id t6sm5035566iov.39.2022.01.10.13.19.07 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Mon, 10 Jan 2022 13:19:07 -0800 (PST) +Date: Mon, 10 Jan 2022 16:19:06 -0500 +From: Taylor Blau +To: git@vger.kernel.org +Cc: Junio C Hamano , + Linus Torvalds , + Fabian Stelzer +Subject: [PATCH] fmt-merge-msg: prevent use-after-free with signed tags +Message-ID: <6e08b73d602853b3de71257117e85e32b96b5c19.1641849502.git.me@ttaylorr.com> +References: +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Disposition: inline +In-Reply-To: +Precedence: bulk +List-ID: +X-Mailing-List: git@vger.kernel.org + +When merging a signed tag, fmt_merge_msg_sigs() is responsible for +populating the body of the merge message with the names of the signed +tags, their signatures, and the validity of those signatures. + +In 02769437e1 (ssh signing: use sigc struct to pass payload, +2021-12-09), check_signature() was taught to pass the object payload via +the sigc struct instead of passing the payload buffer separately. + +In effect, 02769437e1 causes buf, and sigc.payload to point at the same +region in memory. This causes a problem for fmt_tag_signature(), which +wants to read from this location, since it is freed beforehand by +signature_check_clear() (which frees it via sigc's `payload` member). + +That makes the subsequent use in fmt_tag_signature() a use-after-free. + +As a result, merge messages did not contain the body of any signed tags. +Luckily, they tend not to contain garbage, either, since the result of +strstr()-ing the object buffer in fmt_tag_signature() is guarded: + + const char *tag_body = strstr(buf, "\n\n"); + if (tag_body) { + tag_body += 2; + strbuf_add(tagbuf, tag_body, buf + len - tag_body); + } + +Unfortunately, the tests in t6200 did not catch this at the time because +they do not search for the body of signed tags in fmt-merge-msg's +output. + +Resolve this by waiting to call signature_check_clear() until after its +contents can be safely discarded. Harden ourselves against any future +regressions in this area by making sure we can find signed tag messages +in the output of fmt-merge-msg, too. + +Reported-by: Linus Torvalds +Signed-off-by: Taylor Blau +--- + fmt-merge-msg.c | 2 +- + t/t6200-fmt-merge-msg.sh | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fmt-merge-msg.c b/fmt-merge-msg.c +index e5c0aff2bf..baca57d5b6 100644 +--- a/fmt-merge-msg.c ++++ b/fmt-merge-msg.c +@@ -541,7 +541,6 @@ static void fmt_merge_msg_sigs(struct strbuf *out) + else + strbuf_addstr(&sig, sigc.output); + } +- signature_check_clear(&sigc); + + if (!tag_number++) { + fmt_tag_signature(&tagbuf, &sig, buf, len); +@@ -565,6 +564,7 @@ static void fmt_merge_msg_sigs(struct strbuf *out) + } + strbuf_release(&payload); + strbuf_release(&sig); ++ signature_check_clear(&sigc); + next: + free(origbuf); + } +diff --git a/t/t6200-fmt-merge-msg.sh b/t/t6200-fmt-merge-msg.sh +index 7544245f90..5a221f8ef1 100755 +--- a/t/t6200-fmt-merge-msg.sh ++++ b/t/t6200-fmt-merge-msg.sh +@@ -126,6 +126,7 @@ test_expect_success GPG 'message for merging local tag signed by good key' ' + git fetch . signed-good-tag && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}signed-good-tag${apos}" actual && ++ grep "^signed-tag-msg" actual && + grep "^# gpg: Signature made" actual && + grep "^# gpg: Good signature from" actual + ' +@@ -135,6 +136,7 @@ test_expect_success GPG 'message for merging local tag signed by unknown key' ' + git fetch . signed-good-tag && + GNUPGHOME=. git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}signed-good-tag${apos}" actual && ++ grep "^signed-tag-msg" actual && + grep "^# gpg: Signature made" actual && + grep -E "^# gpg: Can${apos}t check signature: (public key not found|No public key)" actual + ' +@@ -145,6 +147,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by good ssh key + git fetch . signed-good-ssh-tag && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}signed-good-ssh-tag${apos}" actual && ++ grep "^signed-ssh-tag-msg" actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual + ' +@@ -155,6 +158,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by unknown ssh + git fetch . signed-untrusted-ssh-tag && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}signed-untrusted-ssh-tag${apos}" actual && ++ grep "^signed-ssh-tag-msg-untrusted" actual && + grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual && + grep "${GPGSSH_KEY_NOT_TRUSTED}" actual +@@ -166,6 +170,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign + git fetch . expired-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}expired-signed${apos}" actual && ++ grep "^expired-signed" actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual + ' + +@@ -175,6 +180,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign + git fetch . notyetvalid-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}notyetvalid-signed${apos}" actual && ++ grep "^notyetvalid-signed" actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual + ' + +@@ -184,6 +190,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign + git fetch . timeboxedvalid-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}timeboxedvalid-signed${apos}" actual && ++ grep "^timeboxedvalid-signed" actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual + ' +@@ -194,6 +201,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign + git fetch . timeboxedinvalid-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}timeboxedinvalid-signed${apos}" actual && ++ grep "^timeboxedinvalid-signed" actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual + ' + +-- +2.34.1.455.gd6eb6fd089 + diff --git a/git.skip-test-patterns b/git.skip-test-patterns index 1f1f8b1..bd44452 100644 --- a/git.skip-test-patterns +++ b/git.skip-test-patterns @@ -4,7 +4,7 @@ GIT_SKIP_TESTS missing AUTOIDENT missing CASE_INSENSITIVE_FS missing DONTHAVEIT -missing EXPENSIVE +missing ([!]LONG_IS_64BIT,)?EXPENSIVE missing JGIT missing !?LAZY_(TRUE|FALSE) missing MINGW diff --git a/git.spec b/git.spec index 6b12273..ea1b95b 100644 --- a/git.spec +++ b/git.spec @@ -76,11 +76,11 @@ %endif # Define for release candidates -#global rcrev .rc0 +%global rcrev .rc0 Name: git -Version: 2.34.1 -Release: 1%{?rcrev}%{?dist} +Version: 2.35.0 +Release: 0.0%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -119,6 +119,10 @@ Patch3: 0003-t-lib-gpg-kill-all-gpg-components-not-just-gpg-agent.patch Patch4: 0004-t4202-match-gpgsm-output-from-GnuPG-2.3.patch Patch5: 0005-gpg-interface-match-SIG_CREATED-if-it-s-the-first-li.patch +# Fix tag message contents +# https://lore.kernel.org/git/CAHk-=whXPxWL7z3GiPkaDt+yygrRmagrYUnib7Lx=Vvrqx2ufg@mail.gmail.com/ +Patch6: https://lore.kernel.org/git/6e08b73d602853b3de71257117e85e32b96b5c19.1641849502.git.me@ttaylorr.com/raw#/0001-fmt-merge-msg-prevent-use-after-free-with-signed-tag.patch + %if %{with docs} # pod2man is needed to build Git.3pm BuildRequires: %{_bindir}/pod2man @@ -218,7 +222,7 @@ BuildRequires: jgit %endif # endif fedora (except i386 and s390x) BuildRequires: mod_dav_svn -BuildRequires: openssh +BuildRequires: openssh-clients BuildRequires: perl(App::Prove) BuildRequires: perl(CGI) BuildRequires: perl(CGI::Carp) @@ -1008,6 +1012,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Mon Jan 10 2022 Todd Zullinger - 2.35.0-0.0.rc0 +- update to 2.35.0-rc0 + * Thu Nov 25 2021 Todd Zullinger - 2.34.1-1 - update to 2.34.1 - fix gpgsm issues with gnupg-2.3 diff --git a/sources b/sources index 9c138f8..4e6eca9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.34.1.tar.xz) = a1a8e9e6f64b1da25508fbd2f783564dcdbe181fb5ff1ebab3bdac6db6094e18acc334479a1abf22ac17ce4f733cc3e10a664db9ab234cd523735a3f027b42db -SHA512 (git-2.34.1.tar.sign) = a1111276e18da1a7b360e3ed3b8460034ea413b116482b0b66342f8873a9dd02a90f3f5bc7ad1e4b3c7f39ed55926a8155064b849e6e6bdf9478cb85b93f10b5 +SHA512 (git-2.35.0.rc0.tar.xz) = 9aa5d89d7981c73d32e9023dfc61a62e63688c3172cba4bee145b2ff4f5f7bc497435d1b4b535089c698893feabc6057a6522676e52bd3355327dfc0b6b8ba56 +SHA512 (git-2.35.0.rc0.tar.sign) = fe4e74de26c0268d36f4fecfa2a2e014e4025c16c931366d1f6f70417661aa250e4ccb8d583c1060559e554e0f5eb770901f246f729f9a55ecbd08c11c6f1119