fix CVE-2020-12278 and CVE-2020-12279

CVE-2020-12278.patch

@@ -0,0 +1,44 @@
+From e1832eb20a7089f6383cfce474f213157f5300cb Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Wed, 18 Sep 2019 16:33:18 +0200
+Subject: [PATCH] path: also guard `.gitmodules` against NTFS Alternate Data
+ Streams
+
+We just safe-guarded `.git` against NTFS Alternate Data Stream-related
+attack vectors, and now it is time to do the same for `.gitmodules`.
+
+Note: In the added regression test, we refrain from verifying all kinds
+of variations between short names and NTFS Alternate Data Streams: as
+the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it
+is enough to test one in order to know that all of them are guarded
+against.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ src/path.c          | 2 +-
+ tests/path/dotgit.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/path.c b/src/path.c
+index 7844da67227..b3a8fc32f83 100644
+--- a/src/path.c
++++ b/src/path.c
+@@ -1646,7 +1646,7 @@ GIT_INLINE(bool) only_spaces_and_dots(const char *path)
+ 	const char *c = path;
+ 
+ 	for (;; c++) {
+-		if (*c == '\0')
++		if (*c == '\0' || *c == ':')
+ 			return true;
+ 		if (*c != ' ' && *c != '.')
+ 			return false;
+diff --git a/tests/path/dotgit.c b/tests/path/dotgit.c
+index 30996694512..ceb7330d248 100644
+--- a/tests/path/dotgit.c
++++ b/tests/path/dotgit.c
+@@ -116,4 +116,5 @@ void test_path_dotgit__dotgit_modules_symlink(void)
+ 	cl_assert_equal_b(true, git_path_isvalid(NULL, ".gitmodules", 0, GIT_PATH_REJECT_DOT_GIT_HFS|GIT_PATH_REJECT_DOT_GIT_NTFS));
+ 	cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_HFS));
+ 	cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS));
++	cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules . .::$DATA", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS));
+ }

CVE-2020-12279.patch

@@ -0,0 +1,57 @@
+From 64c612cc3e25eff5fb02c59ef5a66ba7a14751e4 Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Wed, 18 Sep 2019 15:25:02 +0200
+Subject: [PATCH] Protect against 8.3 "short name" attacks also on Linux/macOS
+
+The Windows Subsystem for Linux (WSL) is getting increasingly popular,
+in particular because it makes it _so_ easy to run Linux software on
+Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to
+`/mnt/c/`, no need to set that up manually).
+
+Unfortunately, files/directories on the Windows drives can be accessed
+via their _short names_, if that feature is enabled (which it is on the
+`C:` drive by default).
+
+Which means that we have to safeguard even our Linux users against the
+short name attacks.
+
+Further, while the default options of CIFS/SMB-mounts seem to disallow
+accessing files on network shares via their short names on Linux/macOS,
+it _is_ possible to do so with the right options.
+
+So let's just safe-guard against short name attacks _everywhere_.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ src/checkout.c         | 2 +-
+ tests/checkout/nasty.c | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/checkout.c b/src/checkout.c
+index 5cfa7280baa..5b20ede466b 100644
+--- a/src/checkout.c
++++ b/src/checkout.c
+@@ -1271,7 +1271,7 @@ static int checkout_verify_paths(
+ 	int action,
+ 	git_diff_delta *delta)
+ {
+-	unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS;
++	unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS | GIT_PATH_REJECT_DOT_GIT_NTFS;
+ 
+ 	if (action & CHECKOUT_ACTION__REMOVE) {
+ 		if (!git_path_isvalid(repo, delta->old_file.path, delta->old_file.mode, flags)) {
+diff --git a/tests/checkout/nasty.c b/tests/checkout/nasty.c
+index 3897878cef1..a0ac738a812 100644
+--- a/tests/checkout/nasty.c
++++ b/tests/checkout/nasty.c
+@@ -206,9 +206,8 @@ void test_checkout_nasty__dot_git_dot(void)
+  */
+ void test_checkout_nasty__git_tilde1(void)
+ {
+-#ifdef GIT_WIN32
+ 	test_checkout_fails("refs/heads/git_tilde1", ".git/foobar");
+-#endif
++	test_checkout_fails("refs/heads/git_tilde1", "git~1/foobar");
+ }
+ 
+ /* A tree that contains an entry "git~2", when we have forced the short

libgit2.spec

@@ -1,12 +1,14 @@
 Name:           libgit2
 Version:        0.27.8
-Release:        3
+Release:        4
 Summary:        portable, pure C implementation of the Git core methods
 License:        GPLv2 with exceptions
 URL:            https://libgit2.org
 Source0:        https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz
 
 Patch0001:      0001-tests-don-t-run-buf-oom-on-32-bit-systems.patch
+Patch0002:      CVE-2020-12278.patch
+Patch0003:      CVE-2020-12279.patch
 
 BuildRequires:  gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel
 BuildRequires:  libssh2-devel openssl-devel python3 zlib-devel
@@ -55,6 +57,9 @@ sed -i '/ADD_TEST(online/s/^/#/' tests/CMakeLists.txt
 %{_includedir}/git2*
 
 %changelog
+* Fri Jul 23 2021 guoxiaoqi<guoxiaoqi2@huawei.com> - 0.27.8-4
+- fix CVE-2020-12278 and CVE-2020-12279
+
 * Thu Jan 16 2020 yangjian<yangjian79@huawei.com> - 0.27.8-3
 - Change the Source to valid address