main/git: security fix (CVE-2018-19486)

fixes #9713

also fix secfixes comment

2 files changed, 108 insertions, 5 deletions

diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index 9cd4567703..b8acf6e737 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=git
 pkgver=2.13.7
-pkgrel=1
+pkgrel=2
 pkgdesc="A distributed version control system"
 url="https://www.git-scm.com/"
 arch="all"
@@ -11,6 +11,10 @@ depends=
 replaces="git-perl"
 
 # secfixes:
+#   2.13.7-r2:
+#   - CVE-2018-19486
+#   2.13.7-r1:
+#   - CVE-2018-17456
 #   2.13.7:
 #   - CVE-2018-11233
 #   - CVE-2018-11235
@@ -39,6 +43,7 @@ makedepends="zlib-dev libressl-dev curl-dev expat-dev perl-dev python2-dev
 	pcre-dev asciidoc xmlto perl-error tcl tk"
 source="https://www.kernel.org/pub/software/scm/git/git-$pkgver.tar.xz
 	bb-tar.patch
+	CVE-2018-19486.patch
 	git-daemon.initd
 	git-daemon.confd
 	CVE-2018-17456.patch
@@ -54,10 +59,6 @@ _makeopts="
 _gitcoredir=/usr/libexec/git-core
 _builddir="$srcdir"/$pkgname-$pkgver
 
-# secfixes:
-#   2.13.7-r1:
-#     - CVE-2018-17456
-
 build() {
 	cd "$_builddir"
 	make -j1 prefix=/usr DESTDIR="$pkgdir" $_makeopts perl/perl.mak || return 1
@@ -229,6 +230,7 @@ _git_perl() {
 
 sha512sums="b3480fe342610ff31637d95cf3f49d68ee9411a546315588d55eefb6af22846ea3f0bd1a28626574078523414b2806a4d76e23f27b5710bda383c447abd618b7  git-2.13.7.tar.xz
 85767b5e03137008d6a96199e769e3979f75d83603ac8cb13a3481a915005637409a4fd94e0720da2ec6cd1124f35eba7cf20109a94816c4b4898a81fbc46bd2  bb-tar.patch
+98e4d87d492f2e65930b842e2de3f2043d737dcb1cbcb09e504a21a387ad5e5ce7fbe8f9eea2594eec302c45d0f8f069c6b6767deba1ed61b4636f43dfe2a7aa  CVE-2018-19486.patch
 89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a  git-daemon.initd
 fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec  git-daemon.confd
 c0745aac540be9206341c8cc59c4ba3a7158a4b3d2c6eb8c2e84f601b9c642668e7624e42c1af993ffcc16e1c7ad530f9f38769565c9089b14f8ae73ed14fc86  CVE-2018-17456.patch"
diff --git a/main/git/CVE-2018-19486.patch b/main/git/CVE-2018-19486.patch
new file mode 100644
index 0000000000..5cbf096687
--- /dev/null
+++ b/main/git/CVE-2018-19486.patch
@@ -0,0 +1,101 @@
+From 321fd82389742398d2924640ce3a61791fd27d60 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 24 Oct 2018 03:38:00 -0400
+Subject: run-command: mark path lookup errors with ENOENT
+
+Since commit e3a434468f (run-command: use the
+async-signal-safe execv instead of execvp, 2017-04-19),
+prepare_cmd() does its own PATH lookup for any commands we
+run (on non-Windows platforms).
+
+However, its logic does not match the old execvp call when
+we fail to find a matching entry in the PATH. Instead of
+feeding the name directly to execv, execvp would consider
+that an ENOENT error. By continuing and passing the name
+directly to execv, we effectively behave as if "." was
+included at the end of the PATH. This can have confusing and
+even dangerous results.
+
+The fix itself is pretty straight-forward. There's a new
+test in t0061 to cover this explicitly, and I've also added
+a duplicate of the ENOENT test to ensure that we return the
+correct errno for this case.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ run-command.c          | 21 +++++++++++++++++----
+ t/t0061-run-command.sh | 13 ++++++++++++-
+ 2 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/run-command.c b/run-command.c
+index 014b2165b..8d42a4f53 100644
+--- a/run-command.c
++++ b/run-command.c
+@@ -378,7 +378,7 @@ static void child_err_spew(struct child_process *cmd, struct child_err *cerr)
+ 	set_error_routine(old_errfn);
+ }
+ 
+-static void prepare_cmd(struct argv_array *out, const struct child_process *cmd)
++static int prepare_cmd(struct argv_array *out, const struct child_process *cmd)
+ {
+ 	if (!cmd->argv[0])
+ 		die("BUG: command is empty");
+@@ -401,16 +401,22 @@ static void prepare_cmd(struct argv_array *out, const struct child_process *cmd)
+ 	/*
+ 	 * If there are no '/' characters in the command then perform a path
+ 	 * lookup and use the resolved path as the command to exec.  If there
+-	 * are no '/' characters or if the command wasn't found in the path,
+-	 * have exec attempt to invoke the command directly.
++	 * are '/' characters, we have exec attempt to invoke the command
++	 * directly.
+ 	 */
+ 	if (!strchr(out->argv[1], '/')) {
+ 		char *program = locate_in_PATH(out->argv[1]);
+ 		if (program) {
+ 			free((char *)out->argv[1]);
+ 			out->argv[1] = program;
++		} else {
++			argv_array_clear(out);
++			errno = ENOENT;
++			return -1;
+ 		}
+ 	}
++
++	return 0;
+ }
+ 
+ static char **prep_childenv(const char *const *deltaenv)
+@@ -635,6 +641,12 @@ fail_pipe:
+ 	struct child_err cerr;
+ 	struct atfork_state as;
+ 
++	if (prepare_cmd(&argv, cmd) < 0) {
++		failed_errno = errno;
++		cmd->pid = -1;
++		goto end_of_spawn;
++	}
++
+ 	if (pipe(notify_pipe))
+ 		notify_pipe[0] = notify_pipe[1] = -1;
+ 
+@@ -645,7 +657,6 @@ fail_pipe:
+ 		set_cloexec(null_fd);
+ 	}
+ 
+-	prepare_cmd(&argv, cmd);
+ 	childenv = prep_childenv(cmd->env);
+ 	atfork_prepare(&as);
+ 
+@@ -773,6 +784,8 @@ fail_pipe:
+ 	argv_array_clear(&argv);
+ 	free(childenv);
+ }
++end_of_spawn:
++
+ #else
+ {
+ 	int fhin = 0, fhout = 1, fherr = 2;
+-- 
+cgit 1.2-0.3.lf.el7
+