From: Calvin Wan <calvinwan@google.com>
To: "Carlo Marcelo Arenas Belón" <carenas@gmail.com>
Cc: Calvin Wan <calvinwan@google.com>, git@vger.kernel.org, peff@peff.net
Subject: Re: [PATCH] osxkeychain: restrict queries to requests with a valid host
Date: Mon, 22 Apr 2024 19:48:12 +0000 [thread overview]
Message-ID: <20240422194824.340464-1-calvinwan@google.com> (raw)
In-Reply-To: <20200420224310.9989-1-carenas@gmail.com>
Carlo Marcelo Arenas Belón <carenas@gmail.com> writes:
> make sure that requests to this helper to get credentials return early if
> there is no host ord the host is empty.
>
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
> contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> index bcd3f575a3..2264a88c41 100644
> --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> @@ -69,6 +69,12 @@ static void find_internet_password(void)
> UInt32 len;
> SecKeychainItemRef item;
>
> + /*
> + * Require at valid host to fix CVE-2020-11008
> + */
> + if (!host || !*host)
> + return;
> +
> if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
> return;
>
> --
> 2.26.2.111.gbff22aa583
>
We're currently using this patch downstream (removed the check for
!*host after updates to this file), but I was wondering whether this
change should also be in main. It seems like the discussion around this
stalled and there was no definitive conclusion, but the change also at
worst does nothing and could possibly be useful -- I see other functions
where we're checking for the existence of "host". I wasn't around when
all the changes around this CVE were happening so I'm not exactly sure
how useful this patch this and whether we can get rid of it or not.
next prev parent reply other threads:[~2024-04-22 19:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-20 22:43 [PATCH] osxkeychain: restrict queries to requests with a valid host Carlo Marcelo Arenas Belón
2020-04-20 23:09 ` Junio C Hamano
2020-04-20 23:20 ` Carlo Arenas
2020-04-21 1:44 ` Junio C Hamano
2020-04-21 6:15 ` Jonathan Nieder
2024-04-22 19:48 ` Calvin Wan [this message]
2024-04-23 21:39 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240422194824.340464-1-calvinwan@google.com \
--to=calvinwan@google.com \
--cc=carenas@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).