Correct last year's cvsimport command injection fix
This was quietly fixed upstream so I didn't notice until recently the
need to backport the fix.
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
diff --git a/debian/changelog b/debian/changelog
index d61aaad..17e6457 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-git (1:2.11.0-3+deb9u3.1) stretch-security; urgency=high
+git (1:2.11.0-3+deb9u4) stretch-security; urgency=high
* Fix CVE-2018-17456, arbitrary code execution via submodule URLs
and paths in .gitmodules file:
@@ -8,10 +8,18 @@
- fsck: detect submodule urls that start with a dash
- fsck: detect submodule paths that start with a dash
- Thanks to joernchen of Phenoelit for discovering and reporting this
- vulnerability and to Jeff King for fixing it.
+ Thanks to joernchen of Phenoelit for discovering and reporting
+ this vulnerability and to Jeff King for fixing it.
- -- Jonathan Nieder <jrnieder@gmail.com> Thu, 27 Sep 2018 18:57:06 -0700
+ * Correct incomplete shell command injection fix in git cvsimport in
+ 1:2.11.0-3+deb9u2. A malicious CVS server could trigger
+ arbitrary code execution by a user running "git cvsimport".
+ - cvsimport: apply shell-quoting regex globally
+
+ Thanks to littlelailo for discovering this vulnerability and to
+ Jeff King for fixing it.
+
+ -- Jonathan Nieder <jrnieder@gmail.com> Thu, 27 Sep 2018 19:35:44 -0700
git (1:2.11.0-3+deb9u3) stretch-security; urgency=high
diff --git a/debian/patches/cvsimport-apply-shell-quoting-regex-globally.diff b/debian/patches/cvsimport-apply-shell-quoting-regex-globally.diff
new file mode 100644
index 0000000..d782bac
--- /dev/null
+++ b/debian/patches/cvsimport-apply-shell-quoting-regex-globally.diff
@@ -0,0 +1,37 @@
+From 63a7be83c29eec99673512709880bb1b5ce1778a Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Fri, 8 Dec 2017 04:58:19 -0500
+Subject: cvsimport: apply shell-quoting regex globally
+
+commit 8c87bdfb2137c9e9e945df13e2f2e1eb995ddf83 upstream.
+
+Commit 5b4efea666 (cvsimport: shell-quote variable used in
+backticks, 2017-09-11) tried to shell-quote a variable, but
+forgot to use the "/g" modifier to apply the quoting to the
+whole variable. This means we'd miss any embedded
+single-quotes after the first one.
+
+Reported-by: <littlelailo@yahoo.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+---
+ git-cvsimport.perl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/git-cvsimport.perl b/git-cvsimport.perl
+index 36929921ea..2d8df83172 100755
+--- a/git-cvsimport.perl
++++ b/git-cvsimport.perl
+@@ -642,7 +642,7 @@ sub is_sha1 {
+
+ sub get_headref ($) {
+ my $name = shift;
+- $name =~ s/'/'\\''/;
++ $name =~ s/'/'\\''/g;
+ my $r = `git rev-parse --verify '$name' 2>/dev/null`;
+ return undef unless $? == 0;
+ chomp $r;
+--
+2.19.0.605.g01d371f741
+
diff --git a/debian/patches/series b/debian/patches/series
index 1968fe9..693edf4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,3 +41,4 @@
submodule-config-ban-submodule-paths-that-start-with-.diff
fsck-detect-submodule-urls-starting-with-dash.diff
fsck-detect-submodule-paths-starting-with-dash.diff
+cvsimport-apply-shell-quoting-regex-globally.diff