Fix CVE-2024-32002

(cherry picked from commit 8fd45e2ba5e5c26ee71ee5651fdd26f794e7a9f3)

backport-CVE-2024-32002-submodule-helper-add-const-to-passed-module_clone_da.patch

@@ -0,0 +1,213 @@
+From d2da776547575648d6f9da4ac7b4b1d06d6ab1a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?=
+ <avarab@gmail.com>
+Date: Thu, 1 Sep 2022 01:17:56 +0200
+Subject: [PATCH 1/3] submodule--helper: add "const" to passed
+ "module_clone_data"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add "const" to the "struct module_clone_data" that we pass to
+clone_submodule(), which makes the ownership clear, and stops us from
+clobbering the "clone_data->path".
+
+We still need to add to the "reference" member, which is a "struct
+string_list". Let's do this by having clone_submodule() create its
+own, and copy the contents over, allowing us to pass it as a
+separate parameter.
+
+This new "struct string_list" still leaks memory, just as the "struct
+module_clone_data" did before. let's not fix that for now, to fix that
+we'll need to add some "goto cleanup" to the relevant code. That will
+eventually be done in follow-up commits, this change makes it easier
+to fix the memory leak.
+
+The scope of the new "reference" variable in add_submodule() could be
+narrowed to the "else" block, but as we'll eventually free it with a
+"goto cleanup" let's declare it at the start of the function.
+
+Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
+Reviewed-by: Glen Choo <chooglen@google.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Reference:  https://git.kernel.org/pub/scm/git/git.git/commit/?id=6fac5b2f352efc8c246d6d5be63a66b7b0fc0209
+Conflicts:
+      builtin/submodule--helper.c
+Signed-off-by: qiaojijun <qiaojijun@kylinos.cn>
+---
+ builtin/submodule--helper.c | 49 ++++++++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index ef2776a..7216e71 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -1665,14 +1665,13 @@ struct module_clone_data {
+ 	const char *name;
+ 	const char *url;
+ 	const char *depth;
+-	struct string_list reference;
+ 	unsigned int quiet: 1;
+ 	unsigned int progress: 1;
+ 	unsigned int dissociate: 1;
+ 	unsigned int require_init: 1;
+ 	int single_branch;
+ };
+-#define MODULE_CLONE_DATA_INIT { .reference = STRING_LIST_INIT_NODUP, .single_branch = -1 }
++#define MODULE_CLONE_DATA_INIT { .single_branch = -1 }
+ 
+ struct submodule_alternate_setup {
+ 	const char *submodule_name;
+@@ -1778,12 +1777,14 @@ static void prepare_possible_alternates(const char *sm_name,
+ 	free(error_strategy);
+ }
+ 
+-static int clone_submodule(struct module_clone_data *clone_data)
++static int clone_submodule(const struct module_clone_data *clone_data,
++			   struct string_list *reference)
+ {
+ 	char *p, *sm_gitdir;
+ 	char *sm_alternate = NULL, *error_strategy = NULL;
+ 	struct strbuf sb = STRBUF_INIT;
+ 	struct child_process cp = CHILD_PROCESS_INIT;
++	const char *clone_data_path;
+ 
+ 	strbuf_addf(&sb, "%s/modules/%s", get_git_dir(), clone_data->name);
+ 	sm_gitdir = absolute_pathdup(sb.buf);
+@@ -1791,9 +1792,10 @@ static int clone_submodule(struct module_clone_data *clone_data)
+ 
+ 	if (!is_absolute_path(clone_data->path)) {
+ 		strbuf_addf(&sb, "%s/%s", get_git_work_tree(), clone_data->path);
+-		clone_data->path = strbuf_detach(&sb, NULL);
++		clone_data_path = xstrfmt("%s/%s", get_git_work_tree(),
++					  clone_data->path);
+ 	} else {
+-		clone_data->path = xstrdup(clone_data->path);
++		clone_data_path = xstrdup(clone_data->path);
+ 	}
+ 
+ 	if (validate_submodule_git_dir(sm_gitdir, clone_data->name) < 0)
+@@ -1804,7 +1806,7 @@ static int clone_submodule(struct module_clone_data *clone_data)
+ 		if (safe_create_leading_directories_const(sm_gitdir) < 0)
+ 			die(_("could not create directory '%s'"), sm_gitdir);
+ 
+-		prepare_possible_alternates(clone_data->name, &clone_data->reference);
++		prepare_possible_alternates(clone_data->name, reference);
+ 
+ 		strvec_push(&cp.args, "clone");
+ 		strvec_push(&cp.args, "--no-checkout");
+@@ -1814,9 +1816,9 @@ static int clone_submodule(struct module_clone_data *clone_data)
+ 			strvec_push(&cp.args, "--progress");
+ 		if (clone_data->depth && *(clone_data->depth))
+ 			strvec_pushl(&cp.args, "--depth", clone_data->depth, NULL);
+-		if (clone_data->reference.nr) {
++		if (reference->nr) {
+ 			struct string_list_item *item;
+-			for_each_string_list_item(item, &clone_data->reference)
++			for_each_string_list_item(item, reference)
+ 				strvec_pushl(&cp.args, "--reference",
+ 					     item->string, NULL);
+ 		}
+@@ -1831,7 +1833,7 @@ static int clone_submodule(struct module_clone_data *clone_data)
+ 
+ 		strvec_push(&cp.args, "--");
+ 		strvec_push(&cp.args, clone_data->url);
+-		strvec_push(&cp.args, clone_data->path);
++		strvec_push(&cp.args, clone_data_path);
+ 
+ 		cp.git_cmd = 1;
+ 		prepare_submodule_repo_env(&cp.env_array);
+@@ -1839,23 +1841,23 @@ static int clone_submodule(struct module_clone_data *clone_data)
+ 
+ 		if(run_command(&cp))
+ 			die(_("clone of '%s' into submodule path '%s' failed"),
+-			    clone_data->url, clone_data->path);
++			    clone_data->url, clone_data_path);
+ 	} else {
+-		if (clone_data->require_init && !access(clone_data->path, X_OK) &&
+-		    !is_empty_dir(clone_data->path))
+-			die(_("directory not empty: '%s'"), clone_data->path);
+-		if (safe_create_leading_directories_const(clone_data->path) < 0)
+-			die(_("could not create directory '%s'"), clone_data->path);
++		if (clone_data->require_init && !access(clone_data_path, X_OK) &&
++		    !is_empty_dir(clone_data_path))
++			die(_("directory not empty: '%s'"), clone_data_path);
++		if (safe_create_leading_directories_const(clone_data_path) < 0)
++			die(_("could not create directory '%s'"), clone_data_path);
+ 		strbuf_addf(&sb, "%s/index", sm_gitdir);
+ 		unlink_or_warn(sb.buf);
+ 		strbuf_reset(&sb);
+ 	}
+ 
+-	connect_work_tree_and_git_dir(clone_data->path, sm_gitdir, 0);
++	connect_work_tree_and_git_dir(clone_data_path, sm_gitdir, 0);
+ 
+-	p = git_pathdup_submodule(clone_data->path, "config");
++	p = git_pathdup_submodule(clone_data_path, "config");
+ 	if (!p)
+-		die(_("could not get submodule directory for '%s'"), clone_data->path);
++		die(_("could not get submodule directory for '%s'"), clone_data_path);
+ 
+ 	/* setup alternateLocation and alternateErrorStrategy in the cloned submodule if needed */
+ 	git_config_get_string("submodule.alternateLocation", &sm_alternate);
+@@ -1880,6 +1882,7 @@ static int module_clone(int argc, const char **argv, const char *prefix)
+ {
+ 	int dissociate = 0, quiet = 0, progress = 0, require_init = 0;
+ 	struct module_clone_data clone_data = MODULE_CLONE_DATA_INIT;
++	struct string_list reference = STRING_LIST_INIT_NODUP;
+ 
+ 	struct option module_clone_options[] = {
+ 		OPT_STRING(0, "prefix", &clone_data.prefix,
+@@ -1894,7 +1897,7 @@ static int module_clone(int argc, const char **argv, const char *prefix)
+ 		OPT_STRING(0, "url", &clone_data.url,
+ 			   N_("string"),
+ 			   N_("url where to clone the submodule from")),
+-		OPT_STRING_LIST(0, "reference", &clone_data.reference,
++		OPT_STRING_LIST(0, "reference", &reference,
+ 			   N_("repo"),
+ 			   N_("reference repository")),
+ 		OPT_BOOL(0, "dissociate", &dissociate,
+@@ -1932,7 +1935,7 @@ static int module_clone(int argc, const char **argv, const char *prefix)
+ 		usage_with_options(git_submodule_helper_usage,
+ 				   module_clone_options);
+ 
+-	clone_submodule(&clone_data);
++	clone_submodule(&clone_data, &reference);
+ 	return 0;
+ }
+ 
+@@ -2805,6 +2808,7 @@ static int add_submodule(const struct add_data *add_data)
+ {
+ 	char *submod_gitdir_path;
+ 	struct module_clone_data clone_data = MODULE_CLONE_DATA_INIT;
++	struct string_list reference = STRING_LIST_INIT_NODUP;
+ 
+ 	/* perhaps the path already exists and is already a git repo, else clone it */
+ 	if (is_directory(add_data->sm_path)) {
+@@ -2821,6 +2825,7 @@ static int add_submodule(const struct add_data *add_data)
+ 		free(submod_gitdir_path);
+ 	} else {
+ 		struct child_process cp = CHILD_PROCESS_INIT;
++
+ 		submod_gitdir_path = xstrfmt(".git/modules/%s", add_data->sm_name);
+ 
+ 		if (is_directory(submod_gitdir_path)) {
+@@ -2852,13 +2857,13 @@ static int add_submodule(const struct add_data *add_data)
+ 		clone_data.quiet = add_data->quiet;
+ 		clone_data.progress = add_data->progress;
+ 		if (add_data->reference_path)
+-			string_list_append(&clone_data.reference,
++			string_list_append(&reference,
+ 					   xstrdup(add_data->reference_path));
+ 		clone_data.dissociate = add_data->dissociate;
+ 		if (add_data->depth >= 0)
+ 			clone_data.depth = xstrfmt("%d", add_data->depth);
+ 
+-		if (clone_submodule(&clone_data))
++		if (clone_submodule(&clone_data, &reference))
+ 			return -1;
+ 
+ 		prepare_submodule_repo_env(&cp.env_array);
+-- 
+2.20.1
+

backport-CVE-2024-32002-submodule-helper-fix-a-leak-in-clone_submodule.patch

@@ -0,0 +1,146 @@
+From 41b5e59b703f94365bdd5cd6597ee150d946171b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?=
+ <avarab@gmail.com>
+Date: Thu, 1 Sep 2022 01:14:08 +0200
+Subject: [PATCH 2/3] submodule--helper: fix a leak in "clone_submodule"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix a memory leak of the "clone_data_path" variable that we copy or
+derive from the "struct module_clone_data" in clone_submodule(). This
+code was refactored in preceding commits, but the leak has been with
+us since f8eaa0ba98b (submodule--helper, module_clone: always operate
+on absolute paths, 2016-03-31).
+
+For the "else" case we don't need to xstrdup() the "clone_data->path",
+and we don't need to free our own "clone_data_path". We can therefore
+assign the "clone_data->path" to our own "clone_data_path" right away,
+and only override it (and remember to free it!) if we need to
+xstrfmt() a replacement.
+
+In the case of the module_clone() caller it's from "argv", and doesn't
+need to be free'd, and in the case of the add_submodule() caller we
+get a pointer to "sm_path", which doesn't need to be directly free'd
+either.
+
+Fixing this leak makes several tests pass, so let's mark them as
+passing with TEST_PASSES_SANITIZE_LEAK=true.
+
+Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
+Reviewed-by: Glen Choo <chooglen@google.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Reference: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e77b3da6bb60e9af5963c9e42442afe53af1780b
+Conflicts:
+	builtin/submodule--helper.c
+Signed-off-by: qiaojijun <qiaojijun@kylinos.cn>
+---
+ builtin/submodule--helper.c   | 10 +++++-----
+ t/t1500-rev-parse.sh          |  1 +
+ t/t6008-rev-list-submodule.sh |  1 +
+ t/t7414-submodule-mistakes.sh |  2 ++
+ t/t7506-status-submodule.sh   |  1 +
+ t/t7507-commit-verbose.sh     |  2 ++
+ 6 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index 78ac555..bb0834a 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -1784,7 +1784,8 @@ static int clone_submodule(const struct module_clone_data *clone_data,
+ 	char *sm_alternate = NULL, *error_strategy = NULL;
+ 	struct strbuf sb = STRBUF_INIT;
+ 	struct child_process cp = CHILD_PROCESS_INIT;
+-	const char *clone_data_path;
++	const char *clone_data_path = clone_data->path;
++	char *to_free = NULL;
+ 
+ 	strbuf_addf(&sb, "%s/modules/%s", get_git_dir(), clone_data->name);
+ 	sm_gitdir = absolute_pathdup(sb.buf);
+@@ -1792,10 +1793,8 @@ static int clone_submodule(const struct module_clone_data *clone_data,
+ 
+ 	if (!is_absolute_path(clone_data->path)) {
+ 		strbuf_addf(&sb, "%s/%s", get_git_work_tree(), clone_data->path);
+-		clone_data_path = xstrfmt("%s/%s", get_git_work_tree(),
+-					  clone_data->path);
+-	} else {
+-		clone_data_path = xstrdup(clone_data->path);
++		clone_data_path = to_free = xstrfmt("%s/%s", get_git_work_tree(),
++						    clone_data->path);
+ 	}
+ 
+ 	if (validate_submodule_git_dir(sm_gitdir, clone_data->name) < 0)
+@@ -1875,6 +1874,7 @@ static int clone_submodule(const struct module_clone_data *clone_data,
+ 	strbuf_release(&sb);
+ 	free(sm_gitdir);
+ 	free(p);
++	free(to_free);
+ 	return 0;
+ }
+ 
+diff --git a/t/t1500-rev-parse.sh b/t/t1500-rev-parse.sh
+index 1c2df08..0e13bcb 100755
+--- a/t/t1500-rev-parse.sh
++++ b/t/t1500-rev-parse.sh
+@@ -4,6 +4,7 @@ test_description='test git rev-parse'
+ GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
+ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
+ 
++TEST_PASSES_SANITIZE_LEAK=true
+ . ./test-lib.sh
+ 
+ test_one () {
+diff --git a/t/t6008-rev-list-submodule.sh b/t/t6008-rev-list-submodule.sh
+index 3153a0d..12e67e1 100755
+--- a/t/t6008-rev-list-submodule.sh
++++ b/t/t6008-rev-list-submodule.sh
+@@ -8,6 +8,7 @@ test_description='git rev-list involving submodules that this repo has'
+ GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
+ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
+ 
++TEST_PASSES_SANITIZE_LEAK=true
+ . ./test-lib.sh
+ 
+ test_expect_success 'setup' '
+diff --git a/t/t7414-submodule-mistakes.sh b/t/t7414-submodule-mistakes.sh
+index f2e7df5..3269298 100755
+--- a/t/t7414-submodule-mistakes.sh
++++ b/t/t7414-submodule-mistakes.sh
+@@ -1,6 +1,8 @@
+ #!/bin/sh
+ 
+ test_description='handling of common mistakes people may make with submodules'
++
++TEST_PASSES_SANITIZE_LEAK=true
+ . ./test-lib.sh
+ 
+ test_expect_success 'create embedded repository' '
+diff --git a/t/t7506-status-submodule.sh b/t/t7506-status-submodule.sh
+index 3fcb447..f5426a8 100755
+--- a/t/t7506-status-submodule.sh
++++ b/t/t7506-status-submodule.sh
+@@ -2,6 +2,7 @@
+ 
+ test_description='git status for submodule'
+ 
++TEST_PASSES_SANITIZE_LEAK=true
+ . ./test-lib.sh
+ 
+ test_create_repo_with_commit () {
+diff --git a/t/t7507-commit-verbose.sh b/t/t7507-commit-verbose.sh
+index ed2653d..92462a2 100755
+--- a/t/t7507-commit-verbose.sh
++++ b/t/t7507-commit-verbose.sh
+@@ -1,6 +1,8 @@
+ #!/bin/sh
+ 
+ test_description='verbose commit template'
++
++TEST_PASSES_SANITIZE_LEAK=true
+ . ./test-lib.sh
+ 
+ write_script "check-for-diff" <<\EOF &&
+-- 
+2.20.1
+

backport-CVE-2024-32002-submodules-submodule-paths-must-not-contain-symlinks.patch

@@ -0,0 +1,156 @@
+From e25bf36fdf54524bda9ec12a851ef53f43c45904 Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Fri, 22 Mar 2024 11:19:22 +0100
+Subject: [PATCH 3/3] submodules: submodule paths must not contain symlinks
+
+When creating a submodule path, we must be careful not to follow
+symbolic links. Otherwise we may follow a symbolic link pointing to
+a gitdir (which are valid symbolic links!) e.g. while cloning.
+
+On case-insensitive filesystems, however, we blindly replace a directory
+that has been created as part of the `clone` operation with a symlink
+when the path to the latter differs only in case from the former's path.
+
+Let's simply avoid this situation by expecting not ever having to
+overwrite any existing file/directory/symlink upon cloning. That way, we
+won't even replace a directory that we just created.
+
+This addresses CVE-2024-32002.
+
+Reported-by: Filip Hejsek <filip.hejsek@gmail.com>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Reference:    https://git.kernel.org/pub/scm/git/git.git/commit/?id=97065761333fd62db1912d81b489db938d8c991d
+Conflicts:
+	builtin/submodule--helper.c
+	t/t7406-submodule-update.sh
+Signed-off-by: qiaojijun <qiaojijun@kylinos.cn>
+---
+ builtin/submodule--helper.c | 35 +++++++++++++++++++++++++++
+ t/t7406-submodule-update.sh | 48 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 83 insertions(+)
+
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index bb0834a..12b08ef 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -1777,11 +1777,34 @@ static void prepare_possible_alternates(const char *sm_name,
+ 	free(error_strategy);
+ }
+ 
++static int dir_contains_only_dotgit(const char *path)
++{
++	DIR *dir = opendir(path);
++	struct dirent *e;
++	int ret = 1;
++
++	if (!dir)
++		return 0;
++
++	e = readdir_skip_dot_and_dotdot(dir);
++	if (!e)
++		ret = 0;
++	else if (strcmp(DEFAULT_GIT_DIR_ENVIRONMENT, e->d_name) ||
++		 (e = readdir_skip_dot_and_dotdot(dir))) {
++		error("unexpected item '%s' in '%s'", e->d_name, path);
++		ret = 0;
++	}
++
++	closedir(dir);
++	return ret;
++}
++
+ static int clone_submodule(const struct module_clone_data *clone_data,
+ 			   struct string_list *reference)
+ {
+ 	char *p, *sm_gitdir;
+ 	char *sm_alternate = NULL, *error_strategy = NULL;
++	struct stat st;
+ 	struct strbuf sb = STRBUF_INIT;
+ 	struct child_process cp = CHILD_PROCESS_INIT;
+ 	const char *clone_data_path = clone_data->path;
+@@ -1802,6 +1825,10 @@ static int clone_submodule(const struct module_clone_data *clone_data,
+ 		      "git dir"), sm_gitdir);
+ 
+ 	if (!file_exists(sm_gitdir)) {
++		if (clone_data->require_init && !stat(clone_data_path, &st) &&
++		    !is_empty_dir(clone_data_path))
++			die(_("directory not empty: '%s'"), clone_data_path);
++
+ 		if (safe_create_leading_directories_const(sm_gitdir) < 0)
+ 			die(_("could not create directory '%s'"), sm_gitdir);
+ 
+@@ -1841,6 +1868,14 @@ static int clone_submodule(const struct module_clone_data *clone_data,
+ 		if(run_command(&cp))
+ 			die(_("clone of '%s' into submodule path '%s' failed"),
+ 			    clone_data->url, clone_data_path);
++
++		if (clone_data->require_init && !stat(clone_data_path, &st) &&
++		    !dir_contains_only_dotgit(clone_data_path)) {
++			char *dot_git = xstrfmt("%s/.git", clone_data_path);
++			unlink(dot_git);
++			free(dot_git);
++			die(_("directory not empty: '%s'"), clone_data_path);
++		}
+ 	} else {
+ 		if (clone_data->require_init && !access(clone_data_path, X_OK) &&
+ 		    !is_empty_dir(clone_data_path))
+diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
+index 11cccbb..2d04738 100755
+--- a/t/t7406-submodule-update.sh
++++ b/t/t7406-submodule-update.sh
+@@ -1061,4 +1061,52 @@ test_expect_success 'submodule update --quiet passes quietness to fetch with a s
+ 	)
+ '
+ 
++test_expect_success CASE_INSENSITIVE_FS,SYMLINKS \
++	'submodule paths must not follow symlinks' '
++
++	# This is only needed because we want to run this in a self-contained
++	# test without having to spin up an HTTP server; However, it would not
++	# be needed in a real-world scenario where the submodule is simply
++	# hosted on a public site.
++	test_config_global protocol.file.allow always &&
++
++	# Make sure that Git tries to use symlinks on Windows
++	test_config_global core.symlinks true &&
++
++	tell_tale_path="$PWD/tell.tale" &&
++	git init hook &&
++	(
++		cd hook &&
++		mkdir -p y/hooks &&
++		write_script y/hooks/post-checkout <<-EOF &&
++		echo HOOK-RUN >&2
++		echo hook-run >"$tell_tale_path"
++		EOF
++		git add y/hooks/post-checkout &&
++		test_tick &&
++		git commit -m post-checkout
++	) &&
++
++	hook_repo_path="$(pwd)/hook" &&
++	git init captain &&
++	(
++		cd captain &&
++		git submodule add --name x/y "$hook_repo_path" A/modules/x &&
++		test_tick &&
++		git commit -m add-submodule &&
++
++		printf .git >dotgit.txt &&
++		git hash-object -w --stdin <dotgit.txt >dot-git.hash &&
++		printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info &&
++		git update-index --index-info <index.info &&
++		test_tick &&
++		git commit -m add-symlink
++	) &&
++
++	test_path_is_missing "$tell_tale_path" &&
++	test_must_fail git clone --recursive captain hooked 2>err &&
++	grep "directory not empty" err &&
++	test_path_is_missing "$tell_tale_path"
++'
++
+ test_done
+-- 
+2.20.1
+

git.spec

@@ -1,7 +1,7 @@
 %global gitexecdir          %{_libexecdir}/git-core
 Name:       git
 Version:    2.33.0
-Release:    14
+Release:    15
 Summary:    A popular and widely used Version Control System
 License:    GPLv2+ or LGPLv2.1
 URL:        https://git-scm.com/
@@ -68,6 +68,9 @@ Patch52:    backport-CVE-2024-32004-fetch-clone-detect-dubious-ownership-of-loca
 Patch53:    backport-CVE-2024-32020-builtin-clone-refuse-local-clones-of-unsafe-reposito.patch
 Patch54:    backport-CVE-2024-32465-wrapper.c-add-x-un-setenv-and-use-xsetenv-in.patch
 Patch55:    backport-CVE-2024-32465-upload-pack-disable-lazy-fetching-by-default.patch
+Patch56:    backport-CVE-2024-32002-submodule-helper-add-const-to-passed-module_clone_da.patch
+Patch57:    backport-CVE-2024-32002-submodule-helper-fix-a-leak-in-clone_submodule.patch
+Patch58:    backport-CVE-2024-32002-submodules-submodule-paths-must-not-contain-symlinks.patch
 
 BuildRequires: gcc gettext
 BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre2-devel desktop-file-utils
@@ -351,6 +354,12 @@ make %{?_smp_mflags} test
 %{_mandir}/man7/git*.7.*
 
 %changelog
+* Mon May 20 2024 fuanan <fuanan3@h-partners.com> - 2.33.0-15
+- Type:CVE
+- ID:CVE-2024-32002
+- SUG:NA
+- DESC:Fix CVE-2024-32002
+
 * Thu May 16 2024 fuanan <fuanan3@h-partners.com> - 2.33.0-14
 - Type:CVE
 - ID:CVE-2024-32021 CVE-2024-32004 CVE-2024-32020 CVE-2024-32465