[AUTO-CHERRYPICK] Fix CVE-2024-53263 in git-lfs - branch main (#12115)

Co-authored-by: Rohit Rawat <[email protected]>
microsoft · Jan 29, 2025 · 35ed337 · 35ed337
1 parent ca99dab
commit 35ed337
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 1 deletion.
diff --git a/SPECS/git-lfs/CVE-2024-53263.patch b/SPECS/git-lfs/CVE-2024-53263.patch
@@ -0,0 +1,55 @@
+From 52f3cb58093cdccffd87af9c97fd4ba61a0b848d Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <[email protected]>
+Date: Mon, 27 Jan 2025 12:36:21 +0000
+Subject: [PATCH] Fix CVE-2024-53263
+
+Backported from https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90
+
+---
+ creds/creds.go | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/creds/creds.go b/creds/creds.go
+index 0cc6762..f4e1432 100644
+--- a/creds/creds.go
++++ b/creds/creds.go
+@@ -53,11 +53,14 @@ func (credWrapper *CredentialHelperWrapper) FillCreds() error {
+ // as input.
+ type Creds map[string][]string
+
+-func bufferCreds(c Creds) *bytes.Buffer {
++func bufferCreds(c Creds) (*bytes.Buffer, error) {
+ 	buf := new(bytes.Buffer)
+
+ 	for k, v := range c {
+ 		for _, item := range v {
++			if strings.Contains(item, "\n") {
++				return nil, errors.Errorf(tr.Tr.Get("credential value for %s contains newline: %q", k, item))
++			}
+ 			buf.Write([]byte(k))
+ 			buf.Write([]byte("="))
+ 			buf.Write([]byte(item))
+@@ -65,7 +68,7 @@ func bufferCreds(c Creds) *bytes.Buffer {
+ 		}
+ 	}
+
+-	return buf
++	return buf, nil
+ }
+
+ type CredentialHelperContext struct {
+@@ -323,7 +326,10 @@ func (h *commandCredentialHelper) exec(subcommand string, input Creds) (Creds, e
+ 	if err != nil {
+ 		return nil, errors.New(tr.Tr.Get("failed to find `git credential %s`: %v", subcommand, err))
+ 	}
+-	cmd.Stdin = bufferCreds(input)
++	cmd.Stdin, err = bufferCreds(input)
++	if err != nil {
++		return nil, errors.New(tr.Tr.Get("invalid input to `git credential %s`: %v", subcommand, err))
++	}
+ 	cmd.Stdout = output
+ 	/*
+ 	   There is a reason we don't read from stderr here:
+-- 
+2.40.4
+
diff --git a/SPECS/git-lfs/git-lfs.spec b/SPECS/git-lfs/git-lfs.spec
@@ -2,7 +2,7 @@
 Summary:       Git extension for versioning large files
 Name:          git-lfs
 Version:       3.5.1
-Release:       3%{?dist}
+Release:       4%{?dist}
 Group:         System Environment/Programming
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
@@ -29,6 +29,7 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
 Patch0:        CVE-2023-45288.patch
+Patch1:        CVE-2024-53263.patch
 
 BuildRequires: golang
 BuildRequires: which
@@ -79,6 +80,9 @@ git lfs uninstall
 %{_mandir}/man5/*
 
 %changelog
+* Mon Jan 27 2025 Rohit Rawat <[email protected]> - 3.5.1-4
+- Add patch for CVE-2024-53263
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 3.5.1-3
 - Bump release to rebuild with go 1.22.7