!39 [sync] PR-34: Fix CVE-2024-24577
From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot
Gitee
commit
d667e4003c
44
CVE-2024-24577.patch
Normal file
44
CVE-2024-24577.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
|
||||
From: Edward Thomson <ethomson@edwardthomson.com>
|
||||
Date: Sat, 16 Dec 2023 11:19:07 +0000
|
||||
Subject: [PATCH] index: correct index has_dir_name check
|
||||
|
||||
`has_dir_name` is used to check for directory/file collisions,
|
||||
and attempts to determine whether the index contains a file with
|
||||
a directory name that is a proper subset of the new index entry
|
||||
that we're trying to add.
|
||||
|
||||
To determine directory name, the function would walk the path string
|
||||
backwards to identify a `/`, stopping at the end of the string. However,
|
||||
the function assumed that the strings did not start with a `/`. If the
|
||||
paths contain only a single `/` at the beginning of the string, then the
|
||||
function would continue the loop, erroneously, when they should have
|
||||
stopped at the first character.
|
||||
|
||||
Correct the order of the tests to terminate properly.
|
||||
|
||||
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
|
||||
---
|
||||
src/index.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/index.c b/src/index.c
|
||||
index d4532c005d0..9306b96dba5 100644
|
||||
--- a/src/index.c
|
||||
+++ b/src/index.c
|
||||
@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index,
|
||||
size_t len, pos;
|
||||
|
||||
for (;;) {
|
||||
- if (*--slash == '/')
|
||||
- break;
|
||||
+ slash--;
|
||||
+
|
||||
if (slash <= entry->path)
|
||||
return 0;
|
||||
+
|
||||
+ if (*slash == '/')
|
||||
+ break;
|
||||
}
|
||||
len = slash - name;
|
||||
|
||||
@ -1,11 +1,13 @@
|
||||
Name: libgit2
|
||||
Version: 1.3.2
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: portable, pure C implementation of the Git core methods
|
||||
License: GPLv2 with exceptions
|
||||
URL: https://libgit2.org
|
||||
Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz
|
||||
Patch1: CVE-2023-22742.patch
|
||||
# https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
|
||||
Patch2: CVE-2024-24577.patch
|
||||
|
||||
BuildRequires: gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel
|
||||
BuildRequires: libssh2-devel openssl-devel python3 zlib-devel
|
||||
@ -57,6 +59,9 @@ rm -vr deps
|
||||
%{_includedir}/git2*
|
||||
|
||||
%changelog
|
||||
* Wed Feb 07 2024 yaoxin <yao_xin001@hoperun.com> - 1.3.2-3
|
||||
- Fix CVE-2024-24577
|
||||
|
||||
* Thu Dec 14 2023 wangkai <13474090681@163.com> - 1.3.2-2
|
||||
- Fix CVE-2023-22742
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user