Handle git >= v2.35.2 with wrapper function after CVE-2022-24765

Question

Handle git >= v2.35.2 with wrapper function after CVE-2022-24765

cloudishBenne opened this issue 3 years ago · 3 comments

Describe the bug
When the generated script is run with sudo, git complains about an unsafe repository.

To Reproduce
Steps to reproduce the behavior:

Call generated script with parameters sudo <script> -v -h
Wait for <1 seconds
See error:

fatal: unsafe repository ('<repository folder>' is owned by someone else)
To add an exception for this directory, call:

git config --global --add safe.directory <repository folder>

Expected behavior
Run git as user without error.

Screenshots
/

Desktop (please complete the following information):

OS: Ubuntu 20.04
bash version 5.0.17
Script version: bashew 1.18.6
copy/paste output of script.sh -v: not needed, see solution below

Additional context
Add any other context about the problem here.

Possible solution: wrap git

function Tool:git_safe() {
  # handle running git v2.35.2 with "run_as_root=1" after CVE-2022-24765
  # but without "git config --global --add safe.directory ..."
  # https://github.blog/2022-04-12-git-security-vulnerability-announced/
  IO:debug "Tool:git_safe() called"
  if [[ $run_as_root == 1 ]] ; then
    IO:debug " -> run_as_root=1: sudo -u $SUDO_USER -- git $*"
    sudo -u "$SUDO_USER" -- git "$@"
  elif [[ $run_as_root == -1 ]] ; then
    IO:debug " -> run_as_root=-1: git $*"
    git "$@"
  else
    if [[ "$(whoami)" == "root" ]] ; then
      IO:debug " -> run_as_root=0: sudo -u $SUDO_USER -- git $*"
      sudo -u "$SUDO_USER" -- git "$@"
    else
      IO:debug " -> run_as_root=0: git $*"
      git "$@"
    fi
  fi
}

Then replace git calls in all functions with Tool:git_safe.

Answer 1 · 2022-08-16T14:07:04.000Z

My WSL Ubuntu 20.04.4 LTS still has git version 2.25.1 and cannot upgrade higher than that.

$ sudo ./cranes_besom.sh -v -h
# 🌼 Script path: ./cranes_besom.sh
# 🌼 Linked path: ./cranes_besom.sh
# 🌼 In folder  : /mnt/c/Users/forretp/Code/temp/cranes_besom
# 🌼 Shell type : bash - version 5.0.17(1)-release
# 🌼 System OS  : Ubuntu (Linux) 20.04 on x86_64
# 🌼 Package mgt: apt install
# 🌼 Version  : 0.0.1
# 🌼 Created  : 2022-08-16
# 🌼 Modified : 2022-08-16 16:01
# 🌼 Lines    : 1027 lines / md5: 62a77008
# 🌼 User     : root@BFLD-PFORRET22
# 🌼 git remote :
# 🌼 git folder : /mnt/c/Users/forretp/Code/temp/cranes_besom
⛔ cranes_besom.sh: user is root, CANNOT be root to run [cranes_besom.sh]
# cranes_besom.sh finished after 0 seconds

Let me see on a native Ubuntu machine later

Answer 2 · 2022-08-16T14:11:16.000Z

https://nvd.nist.gov/vuln/detail/cve-2022-24765 talks about "git for Windows". I'm using git under WSL, but it's the Ubuntu version. Is yours a git.exe binary?

$ which git
/usr/bin/git
$ git --version
git version 2.25.1

@cloudishBenne

Answer 3 · 2022-09-22T17:30:57.000Z

Sorry for the late reply, no i am running ubuntu 20.04 (kde neon flavor) with git version 2.25.1. Haven't touched windows in a while.
Did it not complain in your ubuntu vm about the unsafe repository? As long as i remember, this funcionality was added back then as a security feature and couldn't be otherwise solved sanely.