- Add CVE-2023-41040.patch to fix directory traversal attack

vulnerability gh#gitpython-developers/GitPython#1644 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-GitPython?expand=0&rev=56
2023-09-07 06:05:27 +00:00 · 2023-09-07 06:05:27 +00:00 · 4667633ec8
commit 4667633ec8
parent c81700eb2a
3 changed files with 61 additions and 0 deletions
--- a/CVE-2023-41040.patch
+++ b/CVE-2023-41040.patch
@ -0,0 +1,53 @@
+diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
+index 33c3bf15b..5c293aa7b 100644
+--- a/git/refs/symbolic.py
+++ b/git/refs/symbolic.py
+@@ -168,6 +168,8 @@ def _get_ref_info_helper(
+         """Return: (str(sha), str(target_ref_path)) if available, the sha the file at
+         rela_path points to, or None. target_ref_path is the reference we
+         point to, or None"""
+        if ".." in str(ref_path):
+            raise ValueError(f"Invalid reference '{ref_path}'")
+         tokens: Union[None, List[str], Tuple[str, str]] = None
+         repodir = _git_dir(repo, ref_path)
+         try:
+diff --git a/test/test_refs.py b/test/test_refs.py
+index 4c421767e..e7526c3b2 100644
+--- a/test/test_refs.py
+++ b/test/test_refs.py
+@@ -5,6 +5,7 @@
+ # the BSD License: http://www.opensource.org/licenses/bsd-license.php
+ 
+ from itertools import chain
+from pathlib import Path
+ 
+ from git import (
+     Reference,
+@@ -20,9 +21,11 @@
+ from git.objects.tag import TagObject
+ from test.lib import TestBase, with_rw_repo
+ from git.util import Actor
+from gitdb.exc import BadName
+ 
+ import git.refs as refs
+ import os.path as osp
+import tempfile
+ 
+ 
+ class TestRefs(TestBase):
+@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
+ 
+     def test_reflog(self):
+         assert isinstance(self.rorepo.heads.master.log(), RefLog)
+
+    def test_refs_outside_repo(self):
+        # Create a file containing a valid reference outside the repository. Attempting
+        # to access it should raise an exception, due to it containing a parent directory
+        # reference ('..'). This tests for CVE-2023-41040.
+        git_dir = Path(self.rorepo.git_dir)
+        repo_parent_dir = git_dir.parent.parent
+        with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
+            ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
+            ref_file.flush()
+            ref_file_name = Path(ref_file.name).name
+            self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")
--- a/python-GitPython.changes
+++ b/python-GitPython.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep  5 08:30:24 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2023-41040.patch to fix directory traversal attack
+  vulnerability gh#gitpython-developers/GitPython#1644
+
 -------------------------------------------------------------------
 Tue Sep 05 06:34:12 UTC 2023 - daniel.garcia@suse.com

--- a/python-GitPython.spec
+++ b/python-GitPython.spec
@ -28,6 +28,8 @@ URL:            https://github.com/gitpython-developers/GitPython
 Source:         GitPython-%{version}.tar.xz
 Patch0:         test-skips.patch
 Patch1:         test_blocking_lock_file-extra-time.patch
+# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644
+Patch2:         CVE-2023-41040.patch
 BuildRequires:  %{python_module ddt >= 1.1.1}
 BuildRequires:  %{python_module gitdb >= 4.0.1}
 BuildRequires:  %{python_module pip}