packages/libgit2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!39 [sync] PR-34: Fix CVE-2024-24577

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-02-08 06:17:46 +00:00 committed by Gitee
commit d667e4003c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
CVE-2024-24577.patch Normal file
View File

@ -0,0 +1,44 @@
From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Sat, 16 Dec 2023 11:19:07 +0000
Subject: [PATCH] index: correct index has_dir_name check
`has_dir_name` is used to check for directory/file collisions,
and attempts to determine whether the index contains a file with
a directory name that is a proper subset of the new index entry
that we're trying to add.
To determine directory name, the function would walk the path string
backwards to identify a `/`, stopping at the end of the string. However,
the function assumed that the strings did not start with a `/`. If the
paths contain only a single `/` at the beginning of the string, then the
function would continue the loop, erroneously, when they should have
stopped at the first character.
Correct the order of the tests to terminate properly.
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
---
src/index.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/index.c b/src/index.c
index d4532c005d0..9306b96dba5 100644
--- a/src/index.c
+++ b/src/index.c
@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index,
size_t len, pos;
for (;;) {
- if (*--slash == '/')
- break;
+ slash--;
+
if (slash <= entry->path)
return 0;
+
+ if (*slash == '/')
+ break;
}
len = slash - name;

7
libgit2.spec
View File

@ -1,11 +1,13 @@
Name: libgit2 Name: libgit2
Version: 1.3.2 Version: 1.3.2
Release: 2 Release: 3
Summary: portable, pure C implementation of the Git core methods Summary: portable, pure C implementation of the Git core methods
License: GPLv2 with exceptions License: GPLv2 with exceptions
URL: https://libgit2.org URL: https://libgit2.org
Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz
Patch1: CVE-2023-22742.patch Patch1: CVE-2023-22742.patch
# https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
Patch2: CVE-2024-24577.patch
BuildRequires: gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel BuildRequires: gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel
BuildRequires: libssh2-devel openssl-devel python3 zlib-devel BuildRequires: libssh2-devel openssl-devel python3 zlib-devel
@ -57,6 +59,9 @@ rm -vr deps
%{_includedir}/git2* %{_includedir}/git2*
%changelog %changelog
* Wed Feb 07 2024 yaoxin <yao_xin001@hoperun.com> - 1.3.2-3
- Fix CVE-2024-24577
* Thu Dec 14 2023 wangkai <13474090681@163.com> - 1.3.2-2 * Thu Dec 14 2023 wangkai <13474090681@163.com> - 1.3.2-2
- Fix CVE-2023-22742 - Fix CVE-2023-22742