CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
fbe56e677b
poky/meta/recipes-devtools/python/python3-git_3.1.27.bb
Narpat Mali 07213601fd python3-git: fix for CVE-2022-24439 
All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
https://github.com/gitpython-developers/GitPython/discussions/1529
https://github.com/gitpython-developers/GitPython/pull/1518
https://github.com/gitpython-developers/GitPython/pull/1521

(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-01-26 23:37:05 +00:00

37 lines
1.3 KiB
BlitzBasic
Raw Blame History

SUMMARY = "Python library used to interact with Git repositories"
DESCRIPTION = "GitPython provides object model read and write access to \
a git repository. Access repository information conveniently, alter the \
index directly, handle remotes, or go down to low-level object database \
access with big-files support."
HOMEPAGE = "http://github.com/gitpython-developers/GitPython"
SECTION = "devel/python"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=8b8d26c37c1d5a04f9b0186edbebc183"
PYPI_PACKAGE = "GitPython"
inherit pypi python_setuptools_build_meta
SRC_URI += "file://0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch \
file://0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch \
"
SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704"
DEPENDS += " ${PYTHON_PN}-gitdb"
RDEPENDS:${PN} += " \
${PYTHON_PN}-datetime \
${PYTHON_PN}-gitdb \
${PYTHON_PN}-io \
${PYTHON_PN}-logging \
${PYTHON_PN}-math \
${PYTHON_PN}-netclient \
${PYTHON_PN}-stringold \
${PYTHON_PN}-unittest \
${PYTHON_PN}-unixadmin \
git \
"
BBCLASSEXTEND = "native nativesdk"
Reference in New Issue View Git Blame Copy Permalink