git: fix CVE-2025-48386

Upstream-Status: Backport from 9de345cb27 (From OE-Core rev: 3f2fce1ababbf6c94a9e4995d133d5338913b2ce) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-01 13:58:04 +00:00 · 2025-10-27 11:52:00 +05:30 · 2025-10-27 11:52:00 +05:30 · bee2fe9cc5
commit bee2fe9cc5
parent d0f445a1e2
2 changed files with 98 additions and 0 deletions
--- a/meta/recipes-devtools/git/git/CVE-2025-48386.patch
+++ b/meta/recipes-devtools/git/git/CVE-2025-48386.patch
@ -0,0 +1,97 @@
+From 9de345cb273cc7faaeda279c7e07149d8a15a319 Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Mon, 19 May 2025 18:30:29 -0400
+Subject: [PATCH] wincred: avoid buffer overflow in wcsncat()
+
+The wincred credential helper uses a static buffer ("target") as a
+unique key for storing and comparing against internal storage. It does
+this by building up a string is supposed to look like:
+
+    git:$PROTOCOL://$USERNAME@$HOST/@path
+
+However, the static "target" buffer is declared as a wide string with no
+more than 1,024 wide characters. The first call to wcsncat() is almost
+correct (it copies no more than ARRAY_SIZE(target) wchar_t's), but does
+not account for the trailing NUL, introducing an off-by-one error.
+
+But subsequent calls to wcsncat() have an additional problem on top of
+the off-by-one. They do not account for the length of the existing
+wide string being built up in 'target'. So the following:
+
+    $ perl -e '
+        my $x = "x" x 1_000;
+        print "protocol=$x\nhost=$x\nusername=$x\npath=$x\n"
+      ' |
+      C\:/Program\ Files/Git/mingw64/libexec/git-core/git-credential-wincred.exe get
+
+will result in a segmentation fault from over-filling buffer.
+
+This bug is as old as the wincred helper itself, dating back to
+a6253da (contrib: add win32 credential-helper, 2012-07-27). Commit
+8b2d219 (wincred: improve compatibility with windows versions,
+2013-01-10) replaced the use of strncat() with wcsncat(), but retained
+the buggy behavior.
+
+Fix this by using a "target_append()" helper which accounts for both the
+length of the existing string within the buffer, as well as the trailing
+NUL character.
+
+Reported-by: David Leadbeater <dgl@dgl.cx>
+Helped-by: David Leadbeater <dgl@dgl.cx>
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+CVE: CVE-2025-48386
+Upstream-Status: Backport [https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ .../wincred/git-credential-wincred.c          | 22 +++++++++++++------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c
+index 5091048..00ecd87 100644
+--- a/contrib/credential/wincred/git-credential-wincred.c
+++ b/contrib/credential/wincred/git-credential-wincred.c
+@@ -93,6 +93,14 @@ static void load_cred_funcs(void)
+ 
+ static WCHAR *wusername, *password, *protocol, *host, *path, target[1024];
+ 
+static void target_append(const WCHAR *src)
+{
+	size_t avail = ARRAY_SIZE(target) - wcslen(target) - 1; /* -1 for NUL */
+	if (avail < wcslen(src))
+		die("target buffer overflow");
+	wcsncat(target, src, avail);
+}
+
+ static void write_item(const char *what, LPCWSTR wbuf, int wlen)
+ {
+ 	char *buf;
+@@ -304,17 +312,17 @@ int main(int argc, char *argv[])
+ 
+ 	/* prepare 'target', the unique key for the credential */
+ 	wcscpy(target, L"git:");
+-	wcsncat(target, protocol, ARRAY_SIZE(target));
+-	wcsncat(target, L"://", ARRAY_SIZE(target));
+	target_append(protocol);
+	target_append(L"://");
+ 	if (wusername) {
+-		wcsncat(target, wusername, ARRAY_SIZE(target));
+-		wcsncat(target, L"@", ARRAY_SIZE(target));
+		target_append(wusername);
+		target_append(L"@");
+ 	}
+ 	if (host)
+-		wcsncat(target, host, ARRAY_SIZE(target));
+		target_append(host);
+ 	if (path) {
+-		wcsncat(target, L"/", ARRAY_SIZE(target));
+-		wcsncat(target, path, ARRAY_SIZE(target));
+		target_append(L"/");
+		target_append(path);
+ 	}
+ 
+ 	if (!strcmp(argv[1], "get"))
+-- 
+2.50.1
+
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@ -28,6 +28,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
           file://CVE-2024-52006.patch \
           file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
           file://CVE-2025-48384.patch \
+           file://CVE-2025-48386.patch \
           "

 S = "${WORKDIR}/git-${PV}"