From 4667633ec8e7afade7a8ca7b5e79ceab09b8611c0e74ca6a6826037dc9337f29 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Thu, 7 Sep 2023 06:05:27 +0000 Subject: [PATCH] - Add CVE-2023-41040.patch to fix directory traversal attack vulnerability gh#gitpython-developers/GitPython#1644 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-GitPython?expand=0&rev=56 --- CVE-2023-41040.patch | 53 ++++++++++++++++++++++++++++++++++++++++ python-GitPython.changes | 6 +++++ python-GitPython.spec | 2 ++ 3 files changed, 61 insertions(+) create mode 100644 CVE-2023-41040.patch diff --git a/CVE-2023-41040.patch b/CVE-2023-41040.patch new file mode 100644 index 0000000..ca42a94 --- /dev/null +++ b/CVE-2023-41040.patch @@ -0,0 +1,53 @@ +diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py +index 33c3bf15b..5c293aa7b 100644 +--- a/git/refs/symbolic.py ++++ b/git/refs/symbolic.py +@@ -168,6 +168,8 @@ def _get_ref_info_helper( + """Return: (str(sha), str(target_ref_path)) if available, the sha the file at + rela_path points to, or None. target_ref_path is the reference we + point to, or None""" ++ if ".." in str(ref_path): ++ raise ValueError(f"Invalid reference '{ref_path}'") + tokens: Union[None, List[str], Tuple[str, str]] = None + repodir = _git_dir(repo, ref_path) + try: +diff --git a/test/test_refs.py b/test/test_refs.py +index 4c421767e..e7526c3b2 100644 +--- a/test/test_refs.py ++++ b/test/test_refs.py +@@ -5,6 +5,7 @@ + # the BSD License: http://www.opensource.org/licenses/bsd-license.php + + from itertools import chain ++from pathlib import Path + + from git import ( + Reference, +@@ -20,9 +21,11 @@ + from git.objects.tag import TagObject + from test.lib import TestBase, with_rw_repo + from git.util import Actor ++from gitdb.exc import BadName + + import git.refs as refs + import os.path as osp ++import tempfile + + + class TestRefs(TestBase): +@@ -616,3 +619,15 @@ def test_dereference_recursive(self): + + def test_reflog(self): + assert isinstance(self.rorepo.heads.master.log(), RefLog) ++ ++ def test_refs_outside_repo(self): ++ # Create a file containing a valid reference outside the repository. Attempting ++ # to access it should raise an exception, due to it containing a parent directory ++ # reference ('..'). This tests for CVE-2023-41040. ++ git_dir = Path(self.rorepo.git_dir) ++ repo_parent_dir = git_dir.parent.parent ++ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file: ++ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe") ++ ref_file.flush() ++ ref_file_name = Path(ref_file.name).name ++ self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}") diff --git a/python-GitPython.changes b/python-GitPython.changes index 81748cc..a892ed2 100644 --- a/python-GitPython.changes +++ b/python-GitPython.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 5 08:30:24 UTC 2023 - Daniel Garcia + +- Add CVE-2023-41040.patch to fix directory traversal attack + vulnerability gh#gitpython-developers/GitPython#1644 + ------------------------------------------------------------------- Tue Sep 05 06:34:12 UTC 2023 - daniel.garcia@suse.com diff --git a/python-GitPython.spec b/python-GitPython.spec index dce4ca1..ab7e519 100644 --- a/python-GitPython.spec +++ b/python-GitPython.spec @@ -28,6 +28,8 @@ URL: https://github.com/gitpython-developers/GitPython Source: GitPython-%{version}.tar.xz Patch0: test-skips.patch Patch1: test_blocking_lock_file-extra-time.patch +# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644 +Patch2: CVE-2023-41040.patch BuildRequires: %{python_module ddt >= 1.1.1} BuildRequires: %{python_module gitdb >= 4.0.1} BuildRequires: %{python_module pip}