python3-git: fix for CVE-2022-24439

Source: poky
MR: 124663
Type: Integration
Disposition: Merged from poky
ChangeID: 0721360
Description:

All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
gitpython-developers/GitPython#1529
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521

(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)

Signed-off-by: Narpat Mali <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
Signed-off-by: Jeremy A. Puhlman <[email protected]>

Author: Narpat Mali

meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch

@@ -0,0 +1,97 @@
+From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001
+From: Narpat Mali <[email protected]>
+Date: Fri, 6 Jan 2023 14:13:10 +0000
+Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518
+
+Fix command injection
+Add `--` in some commands that receive user input
+and if interpreted as options could lead to remote
+code execution (RCE).
+
+There may be more commands that could benefit from `--`
+so the input is never interpreted as an option,
+but most of those aren't dangerous.
+
+Fixed commands:
+
+- push
+- pull
+- fetch
+- clone/clone_from and friends
+- archive (not sure if this one can be exploited, but it doesn't hurt
+  adding `--` :))
+
+For anyone using GitPython and exposing any of the GitPython methods to users,
+make sure to always validate the input (like if starts with `--`).
+And for anyone allowing users to pass arbitrary options, be aware
+that some options may lead fo RCE, like `--exc`, `--upload-pack`,
+`--receive-pack`, `--config` (#1516).
+
+Ref #1517
+
+CVE: CVE-2022-24439
+
+Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518]
+
+Signed-off-by: Narpat Mali <[email protected]>
+---
+ git/remote.py    | 6 +++---
+ git/repo/base.py | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/git/remote.py b/git/remote.py
+index 56f3c5b..59681bc 100644
+--- a/git/remote.py
++++ b/git/remote.py
+@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj):
+         else:
+             args = [refspec]
+ 
+-        proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False,
++        proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False,
+                                    universal_newlines=True, v=verbose, **kwargs)
+         res = self._get_fetch_info_from_stderr(proc, progress,
+                                                kill_after_timeout=kill_after_timeout)
+@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj):
+             # No argument refspec, then ensure the repo's config has a fetch refspec.
+             self._assert_refspec()
+         kwargs = add_progress(kwargs, self.repo.git, progress)
+-        proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True,
++        proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True,
+                                   universal_newlines=True, v=True, **kwargs)
+         res = self._get_fetch_info_from_stderr(proc, progress,
+                                                kill_after_timeout=kill_after_timeout)
+@@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj):
+             If the operation fails completely, the length of the returned IterableList will
+             be 0."""
+         kwargs = add_progress(kwargs, self.repo.git, progress)
+-        proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True,
++        proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True,
+                                   universal_newlines=True,
+                                   kill_after_timeout=kill_after_timeout,
+                                   **kwargs)
+diff --git a/git/repo/base.py b/git/repo/base.py
+index 7713c91..f14f929 100644
+--- a/git/repo/base.py
++++ b/git/repo/base.py
+@@ -1072,7 +1072,7 @@ class Repo(object):
+         multi = None
+         if multi_options:
+             multi = shlex.split(' '.join(multi_options))
+-        proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True,
++        proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True,
+                          v=True, universal_newlines=True, **add_progress(kwargs, git, progress))
+         if progress:
+             handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(),
+@@ -1173,7 +1173,7 @@ class Repo(object):
+         if not isinstance(path, (tuple, list)):
+             path = [path]
+         # end assure paths is list
+-        self.git.archive(treeish, *path, **kwargs)
++        self.git.archive("--", treeish, *path, **kwargs)
+         return self
+ 
+     def has_separate_working_tree(self) -> bool:
+-- 
+2.34.1
+