deal with git's changes for CVE-2022-24765

Deal with git's recent changes to fix CVE-2022-24765, which prevent using
git in a repository owned by someone else.

That makes git config --list not list the repo's configs, only global
configs. So annex.uuid and annex.version are not visible to git-annex.
It displayed a message about that, which is not right for this situation.
Detect the situation and display a better message, similar to the one other
git commands display.

Also, git-annex init when run in that situation would overwrite annex.uuid
with a new one, since it couldn't see the old one. Add a check to prevent
it running too in this situation. It may be that this fix has security
implications, if a config set by the malicious user who owns the repo
causes git or git-annex to run code. I don't think any git-annex configs
get run by git-annex init. It may be that some git config of a command
does get run by one of the git commands that git-annex init runs. ("git
status" is the command that prompted the CVE-2022-24765, since
core.fsmonitor can cause it to run a command). Since I don't know how
to exploit this, I'm not treating it as a security fix for now.

Note that passing --git-dir makes git bypass the security check. git-annex
does pass --git-dir to most calls to git, which it does to avoid needing
chdir to the directory containing a git repository when accessing a remote.
So, it's possible that somewhere in git-annex it gets as far as running git
with --git-dir, and git reads some configs that are unsafe (what
CVE-2022-24765 is about). This seems unlikely, it would have to be part of
git-annex that runs in git repositories that have no (visible) annex.uuid,
and git-annex init is the only one that I can think of that then goes on to
run git, as discussed earlier. But I've not fully ruled out there being
others..

The git developers seem mostly worried about "git status" or a similar
command implicitly run by a shell prompt, not an explicit use of git in
such a repository. For example, Ævar Arnfjörð Bjarma wrote:
> * There are other bits of config that also point to executable things,
>   e.g. core.editor, aliases etc, but nothing has been found yet that
>   provides the "at a distance" effect that the core.fsmonitor vector
>   does.
>
>   I.e. a user is unlikely to go to /tmp/some-crap/here and run "git
>   commit", but they (or their shell prompt) might run "git status", and
>   if you have a /tmp/.git ...

Sponsored-by: Jarkko Kniivilä on Patreon
This commit is contained in:
Joey Hess 2022-05-20 14:18:19 -04:00
parent 7f28f41c37
commit af0d854460
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
3 changed files with 40 additions and 3 deletions

View file

@ -68,7 +68,7 @@ import Control.Concurrent.Async
#endif
checkInitializeAllowed :: Annex a -> Annex a
checkInitializeAllowed a = noAnnexFileContent' >>= \case
checkInitializeAllowed a = guardSafeToUseRepo $ noAnnexFileContent' >>= \case
Nothing -> a
Just noannexmsg -> do
warning "Initialization prevented by .noannex file (remove the file to override)"
@ -216,7 +216,7 @@ objectDirNotPresent :: Annex Bool
objectDirNotPresent = do
d <- fromRawFilePath <$> fromRepo gitAnnexObjectDir
exists <- liftIO $ doesDirectoryExist d
when exists $
when exists $ guardSafeToUseRepo $
giveup $ unwords $
[ "This repository is not initialized for use"
, "by git-annex, but " ++ d ++ " exists,"
@ -228,6 +228,21 @@ objectDirNotPresent = do
]
return (not exists)
guardSafeToUseRepo :: Annex a -> Annex a
guardSafeToUseRepo a = do
repopath <- fromRepo Git.repoPath
ifM (inRepo Git.Config.checkRepoConfigInaccessible)
( giveup $ unlines $
[ "Git refuses to operate in this repository,"
, "probably because it is owned by someone else."
, ""
-- This mirrors git's wording.
, "To add an exception for this directory, call:"
, "\tgit config --global --add safe.directory " ++ fromRawFilePath repopath
]
, a
)
{- Initialize if it can do so automatically. Avoids failing if it cannot.
-
- Checks repository version and handles upgrades too.

View file

@ -14,6 +14,11 @@ git-annex (10.20220505) UNRELEASED; urgency=medium
pass at the end.
* fsck: Fix situations where the annex object file is stored in a
directory structure other than where annex symlinks point to.
* Deal with git's recent changes to fix CVE-2022-24765, which prevent
using git in a repository owned by someone else.
* Improve an error message displayed in that situation.
* Prevent git-annex init incorrectly reinitializing the repository in
that situation.
-- Joey Hess <id@joeyh.name> Thu, 05 May 2022 15:08:07 -0400

View file

@ -1,6 +1,6 @@
{- git repository configuration handling
-
- Copyright 2010-2020 Joey Hess <id@joeyh.name>
- Copyright 2010-2022 Joey Hess <id@joeyh.name>
-
- Licensed under the GNU AGPL version 3 or higher.
-}
@ -22,6 +22,7 @@ import Git.Types
import qualified Git.Command
import qualified Git.Construct
import Utility.UserInfo
import Utility.Process.Transcript
{- Returns a single git config setting, or a fallback value if not set. -}
get :: ConfigKey -> ConfigValue -> Repo -> ConfigValue
@ -273,3 +274,19 @@ unset ck@(ConfigKey k) r = ifM (Git.Command.runBool ps r)
)
where
ps = [Param "config", Param "--unset-all", Param (decodeBS k)]
{- git "fixed" CVE-2022-24765 by preventing git-config from
- listing per-repo configs when the repo is not owned by
- the current user. Detect if this fix is in effect for the
- repo.
-}
checkRepoConfigInaccessible :: Repo -> IO Bool
checkRepoConfigInaccessible r = do
-- Cannot use gitCommandLine here because specifying --git-dir
-- will bypass the git security check.
let p = (proc "git" ["config", "--local", "--list"])
{ cwd = Just (fromRawFilePath (repoPath r))
, env = gitEnv r
}
(_out, ok) <- processTranscript' p Nothing
return (not ok)