!39 [sync] PR-34: Fix CVE-2024-24577

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

0001-tests-don-t-run-buf-oom-on-32-bit-systems.patch

@@ -1,59 +0,0 @@
-From 415a8ae9c9b6ac18f0524b6af8e58408b426457d Mon Sep 17 00:00:00 2001
-From: Edward Thomson <ethomson@edwardthomson.com>
-Date: Thu, 13 Sep 2018 13:27:07 +0100
-Subject: [PATCH] tests: don't run buf::oom on 32-bit systems
-
-On a 32-bit Linux systems, the value large enough to make malloc
-guarantee a failure is also large enough that valgrind considers it
-"fishy".  Skip this test on those systems entirely.
----
- tests/buf/oom.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/tests/buf/oom.c b/tests/buf/oom.c
-index 2741a8ddf2..ec3bad9979 100644
---- a/tests/buf/oom.c
-+++ b/tests/buf/oom.c
-@@ -11,12 +11,8 @@
-  */
- #if defined(GIT_ARCH_64) && defined(__linux__)
- # define TOOBIG 0x0fffffffffffffff
--#elif defined(__linux__)
--# define TOOBIG 0x0fffffff
- #elif defined(GIT_ARCH_64)
- # define TOOBIG 0xffffffffffffff00
--#else
--# define TOOBIG 0xffffff00
- #endif
- 
- /**
-@@ -25,13 +21,18 @@
-  * will fail.  And because the git_buf_grow() wrapper always
-  * sets mark_oom, the code in git_buf_try_grow() will free
-  * the internal buffer and set it to git_buf__oom.
-- * 
-+ *
-  * We initialized the internal buffer to (the static variable)
-  * git_buf__initbuf.  The purpose of this test is to make sure
-  * that we don't try to free the static buffer.
-+ *
-+ * Skip this test entirely on 32-bit platforms; a buffer large enough
-+ * to guarantee malloc failures is so large that valgrind considers
-+ * it likely to be an error.
-  */
- void test_buf_oom__grow(void)
- {
-+#ifdef GIT_ARCH_64
- 	git_buf buf = GIT_BUF_INIT;
- 
- 	git_buf_clear(&buf);
-@@ -40,6 +41,9 @@ void test_buf_oom__grow(void)
- 	cl_assert(git_buf_oom(&buf));
- 
- 	git_buf_free(&buf);
-+#else
-+    cl_skip();
-+#endif
- }
- 
- void test_buf_oom__grow_by(void)

CVE-2023-22742.patch

@@ -0,0 +1,514 @@
+From: =?UTF-8?q?Carlos=20Mart=C3=ADn=20Nieto?= <carlosmn@github.com>
+Date: Tue, 1 Nov 2022 12:54:29 +0100
+Subject: [PATCH] Fix CVE-2023-22742
+Upstream(1.4.x): https://github.com/libgit2/libgit2/pull/6449
+Origin: https://build.opensuse.org/package/show/SUSE:SLE-15-SP4:Update/libgit2.28263
+
+---
+ src/transports/ssh.c | 417 ++++++++++++++++++++++++++++++++++---------
+ 1 files changed, 329 insertions(+), 88 deletions(-)
+
+diff --git a/ci/test.sh b/ci/test.sh
+index 2aed691..743dbdf 100755
+--- a/ci/test.sh
++++ b/ci/test.sh
+@@ -143,6 +143,11 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
+ 		echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts"
+ 	done <"${SSHD_DIR}/id_rsa.pub"
+ 
++	# Append the github.com keys for the tests that don't override checks.
++	# We ask for ssh-rsa to test that the selection based off of known_hosts
++	# is working.
++	ssh-keyscan -t ssh-rsa github.com >>"${HOME}/.ssh/known_hosts"
++
+ 	# Get the fingerprint for localhost and remove the colons so we can
+ 	# parse it as a hex number. Older versions have a different output
+ 	# format.
+diff --git a/src/transports/ssh.c b/src/transports/ssh.c
+index 1b00be7..86cfcc9 100644
+--- a/src/transports/ssh.c
++++ b/src/transports/ssh.c
+@@ -475,15 +475,118 @@ static int request_creds(git_credential **out, ssh_subtransport *t, const char *
+ 	return 0;
+ }
+ 
++#define KNOWN_HOSTS_FILE ".ssh/known_hosts"
++
++/*
++ * Load the known_hosts file.
++ *
++ * Returns success but leaves the output NULL if we couldn't find the file.
++ */
++static int load_known_hosts(LIBSSH2_KNOWNHOSTS **hosts, LIBSSH2_SESSION *session)
++{
++	char *path = NULL;
++	const char *home;
++	LIBSSH2_KNOWNHOSTS *known_hosts = NULL;
++	int error;
++
++	GIT_ASSERT_ARG(hosts);
++
++	home = getenv ("HOME");
++	if (!home)
++		return -1;
++	path = (char *) malloc (strlen (home) + strlen (KNOWN_HOSTS_FILE) + 2);
++	sprintf (path, "%s/%s", home, KNOWN_HOSTS_FILE);
++
++	if ((known_hosts = libssh2_knownhost_init(session)) == NULL) {
++		ssh_error(session, "error initializing known hosts");
++		error = -1;
++		goto out;
++	}
++
++	/*
++	 * Try to read the file and consider not finding it as not trusting the
++	 * host rather than an error.
++	 */
++	error = libssh2_knownhost_readfile(known_hosts, path, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
++	if (error == LIBSSH2_ERROR_FILE)
++		error = 0;
++	if (error < 0)
++		ssh_error(session, "error reading known_hosts");
++
++out:
++	*hosts = known_hosts;
++	free (path);
++
++	return error;
++}
++
++static const char *hostkey_type_to_string(int type)
++{
++	switch (type) {
++	case LIBSSH2_KNOWNHOST_KEY_SSHRSA:
++		return "ssh-rsa";
++	case LIBSSH2_KNOWNHOST_KEY_SSHDSS:
++		return "ssh-dss";
++#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_256
++	case LIBSSH2_KNOWNHOST_KEY_ECDSA_256:
++		return "ecdsa-sha2-nistp256";
++	case LIBSSH2_KNOWNHOST_KEY_ECDSA_384:
++		return "ecdsa-sha2-nistp384";
++	case LIBSSH2_KNOWNHOST_KEY_ECDSA_521:
++		return "ecdsa-sha2-nistp521";
++#endif
++#ifdef LIBSSH2_KNOWNHOST_KEY_ED25519
++	case LIBSSH2_KNOWNHOST_KEY_ED25519:
++		return "ssh-ed25519";
++#endif
++	}
++
++	return NULL;
++}
++
++/*
++ * We figure out what kind of key we want to ask the remote for by trying to
++ * look it up with a nonsense key and using that mismatch to figure out what key
++ * we do have stored for the host.
++ *
++ * Returns the string to pass to libssh2_session_method_pref or NULL if we were
++ * unable to find anything or an error happened.
++ */
++static const char *find_hostkey_preference(LIBSSH2_KNOWNHOSTS *known_hosts, const char *hostname, int port)
++{
++	struct libssh2_knownhost *host = NULL;
++	/* Specify no key type so we don't filter on that */
++	int type = LIBSSH2_KNOWNHOST_TYPE_PLAIN | LIBSSH2_KNOWNHOST_KEYENC_RAW;
++	const char key = '\0';
++	int error;
++
++	/*
++	 * In case of mismatch, we can find the type of key from known_hosts in
++	 * the returned host's information as it means that an entry was found
++	 * but our nonsense key obviously didn't match.
++	 */
++	error = libssh2_knownhost_checkp(known_hosts, hostname, port, &key, 1, type, &host);
++	if (error == LIBSSH2_KNOWNHOST_CHECK_MISMATCH)
++		return hostkey_type_to_string(host->typemask & LIBSSH2_KNOWNHOST_KEY_MASK);
++
++	return NULL;
++}
++
+ static int _git_ssh_session_create(
+ 	LIBSSH2_SESSION **session,
++	LIBSSH2_KNOWNHOSTS **hosts,
++	const char *hostname,
++	int port,
+ 	git_stream *io)
+ {
+ 	int rc = 0;
+ 	LIBSSH2_SESSION *s;
++	LIBSSH2_KNOWNHOSTS *known_hosts;
+ 	git_socket_stream *socket = GIT_CONTAINER_OF(io, git_socket_stream, parent);
++	const char *keytype = NULL;
+ 
+ 	GIT_ASSERT_ARG(session);
++	GIT_ASSERT_ARG(hosts);
+ 
+ 	s = libssh2_session_init();
+ 	if (!s) {
+@@ -491,21 +594,228 @@ static int _git_ssh_session_create(
+ 		return -1;
+ 	}
+ 
++	if ((rc = load_known_hosts(&known_hosts, s)) < 0) {
++		ssh_error(s, "error loading known_hosts");
++		libssh2_session_free(s);
++		return -1;
++	}
++
++	if ((keytype = find_hostkey_preference(known_hosts, hostname, port)) != NULL) {
++		do {
++			rc = libssh2_session_method_pref(s, LIBSSH2_METHOD_HOSTKEY, keytype);
++		} while (LIBSSH2_ERROR_EAGAIN == rc || LIBSSH2_ERROR_TIMEOUT == rc);
++		if (rc != LIBSSH2_ERROR_NONE) {
++			ssh_error(s, "failed to set hostkey preference");
++			goto on_error;
++		}
++	}
++
++
+ 	do {
+ 		rc = libssh2_session_handshake(s, socket->s);
+ 	} while (LIBSSH2_ERROR_EAGAIN == rc || LIBSSH2_ERROR_TIMEOUT == rc);
+ 
+ 	if (rc != LIBSSH2_ERROR_NONE) {
+ 		ssh_error(s, "failed to start SSH session");
+-		libssh2_session_free(s);
+-		return -1;
++		goto on_error;
+ 	}
+ 
+ 	libssh2_session_set_blocking(s, 1);
+ 
+ 	*session = s;
++	*hosts = known_hosts;
+ 
+ 	return 0;
++
++on_error:
++	libssh2_knownhost_free(known_hosts);
++	libssh2_session_free(s);
++	return -1;
++}
++
++
++/*
++ * Returns the typemask argument to pass to libssh2_knownhost_check{,p} based on
++ * the type of key that libssh2_session_hostkey returns.
++ */
++static int fingerprint_type_mask(int keytype)
++{
++	int mask = LIBSSH2_KNOWNHOST_TYPE_PLAIN | LIBSSH2_KNOWNHOST_KEYENC_RAW;
++	return mask;
++
++	switch (keytype) {
++	case LIBSSH2_HOSTKEY_TYPE_RSA:
++		mask |= LIBSSH2_KNOWNHOST_KEY_SSHRSA;
++		break;
++	case LIBSSH2_HOSTKEY_TYPE_DSS:
++		mask |= LIBSSH2_KNOWNHOST_KEY_SSHDSS;
++		break;
++#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256
++	case LIBSSH2_HOSTKEY_TYPE_ECDSA_256:
++		mask |= LIBSSH2_KNOWNHOST_KEY_ECDSA_256;
++		break;
++	case LIBSSH2_HOSTKEY_TYPE_ECDSA_384:
++		mask |= LIBSSH2_KNOWNHOST_KEY_ECDSA_384;
++		break;
++	case LIBSSH2_HOSTKEY_TYPE_ECDSA_521:
++		mask |= LIBSSH2_KNOWNHOST_KEY_ECDSA_521;
++		break;
++#endif
++#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519
++	case LIBSSH2_HOSTKEY_TYPE_ED25519:
++		mask |= LIBSSH2_KNOWNHOST_KEY_ED25519;
++		break;
++#endif
++	}
++
++	return mask;
++}
++
++/*
++ * Check the host against the user's known_hosts file.
++ *
++ * Returns 1/0 for valid/''not-valid or <0 for an error
++ */
++static int check_against_known_hosts(
++	LIBSSH2_SESSION *session,
++	LIBSSH2_KNOWNHOSTS *known_hosts,
++	const char *hostname,
++	int port,
++	const char *key,
++	size_t key_len,
++	int key_type)
++{
++	int check, typemask, ret = 0;
++	struct libssh2_knownhost *host = NULL;
++
++	if (known_hosts == NULL)
++		return 0;
++ 
++	typemask = fingerprint_type_mask(key_type);
++	check = libssh2_knownhost_checkp(known_hosts, hostname, port, key, key_len, typemask, &host);
++	if (check == LIBSSH2_KNOWNHOST_CHECK_FAILURE) {
++		ssh_error(session, "error checking for known host");
++		return -1;
++	}
++
++	ret = check == LIBSSH2_KNOWNHOST_CHECK_MATCH ? 1 : 0;
++
++out:
++	libssh2_knownhost_free(known_hosts);
++
++	return ret;
++}
++
++/*
++ * Perform the check for the session's certificate against known hosts if
++ * possible and then ask the user if they have a callback.
++ *
++ * Returns 1/0 for valid/not-valid or <0 for an error
++ */
++static int check_certificate(
++	LIBSSH2_SESSION *session,
++	LIBSSH2_KNOWNHOSTS *known_hosts,
++	git_transport_certificate_check_cb check_cb,
++	void *check_cb_payload,
++	const char *host,
++	int port)
++{
++	git_cert_hostkey cert = {{ 0 }};
++	const char *key;
++	size_t cert_len;
++	int cert_type, cert_valid = 0, error = 0;
++
++	if ((key = libssh2_session_hostkey(session, &cert_len, &cert_type)) == NULL) {
++		ssh_error(session, "failed to retrieve hostkey");
++		return -1;
++	}
++
++	if ((cert_valid = check_against_known_hosts(session, known_hosts, host, port, key, cert_len, cert_type)) < 0)
++		return -1;
++
++	cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2;
++	if (key != NULL) {
++		cert.type |= GIT_CERT_SSH_RAW;
++		cert.hostkey = key;
++		cert.hostkey_len = cert_len;
++		switch (cert_type) {
++		case LIBSSH2_HOSTKEY_TYPE_RSA:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_RSA;
++			break;
++		case LIBSSH2_HOSTKEY_TYPE_DSS:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_DSS;
++			break;
++
++#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256
++		case LIBSSH2_HOSTKEY_TYPE_ECDSA_256:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_256;
++			break;
++		case LIBSSH2_HOSTKEY_TYPE_ECDSA_384:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_384;
++			break;
++		case LIBSSH2_KNOWNHOST_KEY_ECDSA_521:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_521;
++			break;
++#endif
++
++#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519
++		case LIBSSH2_HOSTKEY_TYPE_ED25519:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ED25519;
++			break;
++#endif
++		default:
++			cert.raw_type = GIT_CERT_SSH_RAW_TYPE_UNKNOWN;
++		}
++	}
++
++#ifdef LIBSSH2_HOSTKEY_HASH_SHA256
++	key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256);
++	if (key != NULL) {
++		cert.type |= GIT_CERT_SSH_SHA256;
++		memcpy(&cert.hash_sha256, key, 32);
++	}
++#endif
++
++	key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
++	if (key != NULL) {
++		cert.type |= GIT_CERT_SSH_SHA1;
++		memcpy(&cert.hash_sha1, key, 20);
++	}
++
++	key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
++	if (key != NULL) {
++		cert.type |= GIT_CERT_SSH_MD5;
++		memcpy(&cert.hash_md5, key, 16);
++	}
++
++	if (cert.type == 0) {
++		git_error_set(GIT_ERROR_SSH, "unable to get the host key");
++		return -1;
++	}
++
++	git_error_clear();
++	error = 0;
++	if (!cert_valid) {
++		git_error_set(GIT_ERROR_SSH, "invalid or unknown remote ssh hostkey");
++		error = GIT_ECERTIFICATE;
++	}
++
++	if (check_cb != NULL) {
++		git_cert_hostkey *cert_ptr = &cert;
++		git_error_state previous_error = {0};
++
++		git_error_state_capture(&previous_error, error);
++		error = check_cb((git_cert *) cert_ptr, cert_valid, host, check_cb_payload);
++		if (error == GIT_PASSTHROUGH) {
++			error = git_error_state_restore(&previous_error);
++		} else if (error < 0 && !git_error_last()) {
++			git_error_set(GIT_ERROR_NET, "user canceled hostkey check");
++		}
++
++		git_error_state_free(&previous_error);
++	}
++
++	return error;
+ }
+ 
+ #define SSH_DEFAULT_PORT "22"
+@@ -517,12 +827,13 @@ static int _git_ssh_setup_conn(
+ 	git_smart_subtransport_stream **stream)
+ {
+ 	git_net_url urldata = GIT_NET_URL_INIT;
+-	int auth_methods, error = 0;
++	int auth_methods, error = 0, port;
+ 	size_t i;
+ 	ssh_stream *s;
+ 	git_credential *cred = NULL;
+ 	LIBSSH2_SESSION *session=NULL;
+ 	LIBSSH2_CHANNEL *channel=NULL;
++	LIBSSH2_KNOWNHOSTS *known_hosts = NULL;
+ 
+ 	t->current_stream = NULL;
+ 
+@@ -557,93 +868,21 @@ post_extract:
+ 	    (error = git_stream_connect(s->io)) < 0)
+ 		goto done;
+ 
+-	if ((error = _git_ssh_session_create(&session, s->io)) < 0)
+-		goto done;
+-
+-	if (t->owner->certificate_check_cb != NULL) {
+-		git_cert_hostkey cert = {{ 0 }}, *cert_ptr;
+-		const char *key;
+-		size_t cert_len;
+-		int cert_type;
+-
+-		cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2;
+-
+-		key = libssh2_session_hostkey(session, &cert_len, &cert_type);
+-		if (key != NULL) {
+-			cert.type |= GIT_CERT_SSH_RAW;
+-			cert.hostkey = key;
+-			cert.hostkey_len = cert_len;
+-			switch (cert_type) {
+-				case LIBSSH2_HOSTKEY_TYPE_RSA:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_RSA;
+-					break;
+-				case LIBSSH2_HOSTKEY_TYPE_DSS:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_DSS;
+-					break;
+-					
+-#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256
+-				case LIBSSH2_HOSTKEY_TYPE_ECDSA_256:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_256;
+-					break;
+-				case LIBSSH2_HOSTKEY_TYPE_ECDSA_384:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_384;
+-					break;
+-				case LIBSSH2_KNOWNHOST_KEY_ECDSA_521:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_521;
+-					break;
+-#endif
+-					
+-#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519
+-				case LIBSSH2_HOSTKEY_TYPE_ED25519:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ED25519;
+-					break;
+-#endif
+-				default:
+-					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_UNKNOWN;
+-			}
+-		}
+-
+-#ifdef LIBSSH2_HOSTKEY_HASH_SHA256
+-		key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256);
+-		if (key != NULL) {
+-			cert.type |= GIT_CERT_SSH_SHA256;
+-			memcpy(&cert.hash_sha256, key, 32);
+-		}
+-#endif
+-
+-		key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
+-		if (key != NULL) {
+-			cert.type |= GIT_CERT_SSH_SHA1;
+-			memcpy(&cert.hash_sha1, key, 20);
+-		}
+-
+-		key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
+-		if (key != NULL) {
+-			cert.type |= GIT_CERT_SSH_MD5;
+-			memcpy(&cert.hash_md5, key, 16);
+-		}
+-
+-		if (cert.type == 0) {
+-			git_error_set(GIT_ERROR_SSH, "unable to get the host key");
+-			error = -1;
+-			goto done;
+-		}
+-
+-		/* We don't currently trust any hostkeys */
+-		git_error_clear();
+-
+-		cert_ptr = &cert;
+-
+-		error = t->owner->certificate_check_cb((git_cert *) cert_ptr, 0, urldata.host, t->owner->message_cb_payload);
+-
+-		if (error < 0 && error != GIT_PASSTHROUGH) {
+-			if (!git_error_last())
+-				git_error_set(GIT_ERROR_NET, "user cancelled hostkey check");
++	/*
++	 * Try to parse the port as a number, if we can't then fall back to
++	 * default. It would be nice if we could get the port that was resolved
++	 * as part of the stream connection, but that's not something that's
++	 * exposed.
++	 */
++	if (git__strntol32(&port, urldata.port, strlen(urldata.port), NULL, 10) < 0)
++		port = -1;
+ 
+-			goto done;
+-		}
+-	}
++	if ((error = _git_ssh_session_create(&session, &known_hosts, urldata.host, port, s->io)) < 0)
++		goto done;
+ 
++	if ((error = check_certificate(session, known_hosts, t->owner->certificate_check_cb, t->owner->message_cb_payload, urldata.host, urldata.port)) < 0)
++		goto done;
++ 
+ 	/* we need the username to ask for auth methods */
+ 	if (!urldata.username) {
+ 		if ((error = request_creds(&cred, t, NULL, GIT_CREDENTIAL_USERNAME)) < 0)
+@@ -714,6 +953,8 @@ done:
+ 	if (error < 0) {
+ 		ssh_stream_free(*stream);
+ 
++		if (known_hosts)
++			libssh2_knownhost_free(known_hosts);
+ 		if (session)
+ 			libssh2_session_free(session);
+ 	}
+-- 
+2.33.0
+

CVE-2024-24577.patch

@@ -0,0 +1,44 @@
+From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Sat, 16 Dec 2023 11:19:07 +0000
+Subject: [PATCH] index: correct index has_dir_name check
+
+`has_dir_name` is used to check for directory/file collisions,
+and attempts to determine whether the index contains a file with
+a directory name that is a proper subset of the new index entry
+that we're trying to add.
+
+To determine directory name, the function would walk the path string
+backwards to identify a `/`, stopping at the end of the string. However,
+the function assumed that the strings did not start with a `/`. If the
+paths contain only a single `/` at the beginning of the string, then the
+function would continue the loop, erroneously, when they should have
+stopped at the first character.
+
+Correct the order of the tests to terminate properly.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+---
+ src/index.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/index.c b/src/index.c
+index d4532c005d0..9306b96dba5 100644
+--- a/src/index.c
++++ b/src/index.c
+@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index,
+ 		size_t len, pos;
+ 
+ 		for (;;) {
+-			if (*--slash == '/')
+-				break;
++			slash--;
++
+ 			if (slash <= entry->path)
+ 				return 0;
++
++			if (*slash == '/')
++				break;
+ 		}
+ 		len = slash - name;
+ 

libgit2.spec

@@ -1,15 +1,17 @@
 Name:           libgit2
-Version:        0.27.8
+Version:        1.3.2
 Release:        3
 Summary:        portable, pure C implementation of the Git core methods
 License:        GPLv2 with exceptions
 URL:            https://libgit2.org
 Source0:        https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz
-
-Patch0001:      0001-tests-don-t-run-buf-oom-on-32-bit-systems.patch
+Patch1:         CVE-2023-22742.patch
+# https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
+Patch2:         CVE-2024-24577.patch
 
 BuildRequires:  gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel
 BuildRequires:  libssh2-devel openssl-devel python3 zlib-devel
+BuildRequires:  pcre2-devel
 Provides:       bundled(libxdiff)
 
 %description
@@ -26,12 +28,14 @@ This package contains libraries and headers for developing applications that use
 
 %prep
 %autosetup -n %{name}-%{version} -p1
-rm -rfv examples/network/.gitignore deps
-sed -i '/ADD_TEST(online/s/^/#/' tests/CMakeLists.txt
+find examples -name ".gitignore" -delete -print
+sed -i '/-sonline/s/^/#/' tests/CMakeLists.txt
+rm -vr deps
 
 %build
 %cmake . -B%{_target_platform} -GNinja -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-  -DSHA1_BACKEND=OpenSSL -DUSE_HTTPS=OpenSSL %{nil}
+  -DREGEX_BACKEND=pcre2 -DUSE_SHA1=HTTPS -DUSE_HTTP_PARSER=system \
+  -DUSE_NTLMCLIENT=OFF -DUSE_HTTPS=OpenSSL %{nil}
 %ninja_build -C %{_target_platform}
 
 %install
@@ -55,6 +59,21 @@ sed -i '/ADD_TEST(online/s/^/#/' tests/CMakeLists.txt
 %{_includedir}/git2*
 
 %changelog
+* Wed Feb 07 2024 yaoxin <yao_xin001@hoperun.com> - 1.3.2-3
+- Fix CVE-2024-24577
+
+* Thu Dec 14 2023 wangkai <13474090681@163.com> - 1.3.2-2
+- Fix CVE-2023-22742
+
+* Mon Jul 25 2022 xu_ping <xuping33@h-partners.com> - 1.3.2-1
+- Upgrade 1.3.2
+
+* Fri May 13 2022 liyanan <liyanan32@h-partners.com> - 0.27.8-5
+- Remove error-prone, redundant test
+
+* Fri Jul 23 2021 guoxiaoqi<guoxiaoqi2@huawei.com> - 0.27.8-4
+- fix CVE-2020-12278 and CVE-2020-12279
+
 * Thu Jan 16 2020 yangjian<yangjian79@huawei.com> - 0.27.8-3
 - Change the Source to valid address