Merge pull request from GHSA-6rw3-3whw-jvjj

release: v3.1.3

Author: bk2204

CHANGELOG.md

@@ -1,5 +1,39 @@
 # Git LFS Changelog
 
+## 3.1.3 (19 Apr 2022)
+
+This release introduces a security fix for Windows systems, which has been
+assigned CVE-2022-24826.
+
+On Windows, if Git LFS operates on a malicious repository with a `..exe` file as
+well as a file named `git.exe`, and `git.exe` is not found in PATH, the `..exe`
+program will be executed, permitting the attacker to execute arbitrary code.
+Similarly, if the malicious repository contains files named `..exe` and
+`cygpath.exe`, and `cygpath.exe` is not found in PATH, the `..exe` program will
+be executed when certain Git LFS commands are run.
+
+This security problem does not affect Unix systems.  This is the same issue as
+CVE-2020-27955 and CVE-2021-21237, but the fix for those issue was incomplete
+and certain options can still cause the problem to occur.
+
+This occurs because on Windows, Go includes (and prefers) the current directory
+when the name of a command run does not contain a directory separator, and it
+continues to search for programs even when the specified program name is empty.
+This has been solved by failing if the path is empty or not found.
+
+We would like to extend a special thanks to the following open-source
+contributors:
+
+* @yuske for reporting this to us responsibly
+
+### Bugs
+
+* Report errors when finding executables and revise PATH search tests (@chrisd8088)
+
+### Misc
+
+* Update Windows signing certificate SHA hash in Makefile (@chrisd8088)
+
 ## 3.1.2 (16 Feb 2022)
 
 This is a bugfix release which fixes a bug in `git lfs install` and some issues

commands/command_clone.go

@@ -118,8 +118,11 @@ func postCloneSubmodules(args []string) error {
 	// Use `git submodule foreach --recursive` to cascade into nested submodules
 	// Also good to call a new instance of git-lfs rather than do things
 	// inside this instance, since that way we get a clean env in that subrepo
-	cmd := subprocess.ExecCommand("git", "submodule", "foreach", "--recursive",
+	cmd, err := subprocess.ExecCommand("git", "submodule", "foreach", "--recursive",
 		"git lfs pull")
+	if err != nil {
+		return err
+	}
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout

commands/command_ls_files.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/git-lfs/git-lfs/v3/errors"
 	"github.com/git-lfs/git-lfs/v3/git"
 	"github.com/git-lfs/git-lfs/v3/lfs"
 	"github.com/git-lfs/git-lfs/v3/tools/humanize"
@@ -50,7 +51,11 @@ func lsFilesCommand(cmd *cobra.Command, args []string) {
 	} else {
 		fullref, err := git.CurrentRef()
 		if err != nil {
-			ref = git.EmptyTree()
+			ref, err = git.EmptyTree()
+			if err != nil {
+				ExitWithError(errors.Wrap(
+					err, tr.Tr.Get("Could not read empty Git tree object")))
+			}
 		} else {
 			ref = fullref.Sha
 		}

commands/command_status.go

@@ -28,8 +28,12 @@ func statusCommand(cmd *cobra.Command, args []string) {
 	ref, _ := git.CurrentRef()
 
 	scanIndexAt := "HEAD"
+	var err error
 	if ref == nil {
-		scanIndexAt = git.EmptyTree()
+		scanIndexAt, err = git.EmptyTree()
+		if err != nil {
+			ExitWithError(err)
+		}
 	}
 
 	scanner, err := lfs.NewPointerScanner(cfg.GitEnv(), cfg.OSEnv())

commands/path_windows.go

@@ -48,7 +48,10 @@ func cleanRootPath(pattern string) string {
 
 	if len(winBashPrefix) < 1 {
 		// cmd.Path is something like C:\Program Files\Git\usr\bin\pwd.exe
-		cmd := subprocess.ExecCommand("pwd")
+		cmd, err := subprocess.ExecCommand("pwd")
+		if err != nil {
+			return pattern
+		}
 		winBashPrefix = strings.Replace(filepath.Dir(filepath.Dir(filepath.Dir(cmd.Path))), `\`, "/", -1) + "/"
 	}
 

commands/pull.go

@@ -147,7 +147,10 @@ func (i *gitIndexer) Add(path string) error {
 
 	if i.cmd == nil {
 		// Fire up the update-index command
-		cmd := git.UpdateIndexFromStdin()
+		cmd, err := git.UpdateIndexFromStdin()
+		if err != nil {
+			return err
+		}
 		cmd.Stdout = &i.output
 		cmd.Stderr = &i.output
 		stdin, err := cmd.StdinPipe()

config/version.go

@@ -13,7 +13,7 @@ var (
 )
 
 const (
-	Version = "3.1.2"
+	Version = "3.1.3"
 )
 
 func init() {

creds/creds.go

@@ -241,7 +241,11 @@ func (a *AskPassCredentialHelper) getFromProgram(valueType credValueType, u *url
 
 	// 'cmd' will run the GIT_ASKPASS (or core.askpass) command prompting
 	// for the desired valueType (`Username` or `Password`)
-	cmd := subprocess.ExecCommand(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
+	cmd, errVal := subprocess.ExecCommand(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
+	if errVal != nil {
+		tracerx.Printf("creds: failed to find GIT_ASKPASS command: %s", a.Program)
+		return "", errVal
+	}
 	cmd.Stderr = &err
 	cmd.Stdout = &value
 
@@ -301,7 +305,10 @@ func (h *commandCredentialHelper) Approve(creds Creds) error {
 
 func (h *commandCredentialHelper) exec(subcommand string, input Creds) (Creds, error) {
 	output := new(bytes.Buffer)
-	cmd := subprocess.ExecCommand("git", "credential", subcommand)
+	cmd, err := subprocess.ExecCommand("git", "credential", subcommand)
+	if err != nil {
+		return nil, errors.New(tr.Tr.Get("failed to find `git credential %s`: %v", subcommand, err))
+	}
 	cmd.Stdin = bufferCreds(input)
 	cmd.Stdout = output
 	/*
@@ -316,7 +323,7 @@ func (h *commandCredentialHelper) exec(subcommand string, input Creds) (Creds, e
 	*/
 	cmd.Stderr = os.Stderr
 
-	err := cmd.Start()
+	err = cmd.Start()
 	if err == nil {
 		err = cmd.Wait()
 	}

debian/changelog

@@ -1,3 +1,9 @@
+git-lfs (3.1.3) stable; urgency=low
+
+  * New upstream version
+
+ -- brian m. carlson <[email protected]>  Tue, 19 Apr 2022 14:29:00 -0000
+
 git-lfs (3.1.2) stable; urgency=low
 
   * New upstream version

git/config.go

@@ -199,7 +199,10 @@ func (c *Configuration) Source() (*ConfigurationSource, error) {
 
 func (c *Configuration) gitConfig(args ...string) (string, error) {
 	args = append([]string{"config", "--includes"}, args...)
-	cmd := subprocess.ExecCommand("git", args...)
+	cmd, err := subprocess.ExecCommand("git", args...)
+	if err != nil {
+		return "", err
+	}
 	if len(c.GitDir) > 0 {
 		cmd.Dir = c.GitDir
 	}