Backport patch for CVE-2016-8568, CVE-2016-8569
Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
This commit is contained in:
parent
42b79661eb
commit
a1fed87ff1
43
0001-commit-always-initialize-commit-message.patch
Normal file
43
0001-commit-always-initialize-commit-message.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Steinhardt <ps@pks.im>
|
||||||
|
Date: Fri, 7 Oct 2016 09:31:41 +0200
|
||||||
|
Subject: [PATCH] commit: always initialize commit message
|
||||||
|
|
||||||
|
When parsing a commit, we will treat all bytes left after parsing
|
||||||
|
the headers as the commit message. When no bytes are left, we
|
||||||
|
leave the commit's message uninitialized. While uncommon to have
|
||||||
|
a commit without message, this is the right behavior as Git
|
||||||
|
unfortunately allows for empty commit messages.
|
||||||
|
|
||||||
|
Given that this scenario is so uncommon, most programs acting on
|
||||||
|
the commit message will never check if the message is actually
|
||||||
|
set, which may lead to errors. To work around the error and not
|
||||||
|
lay the burden of checking for empty commit messages to the
|
||||||
|
developer, initialize the commit message with an empty string
|
||||||
|
when no commit message is given.
|
||||||
|
---
|
||||||
|
src/commit.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/commit.c b/src/commit.c
|
||||||
|
index 99a8085..76e6dcb 100644
|
||||||
|
--- a/src/commit.c
|
||||||
|
+++ b/src/commit.c
|
||||||
|
@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj)
|
||||||
|
buffer = buffer_start + header_len + 1;
|
||||||
|
|
||||||
|
/* extract commit message */
|
||||||
|
- if (buffer <= buffer_end) {
|
||||||
|
+ if (buffer <= buffer_end)
|
||||||
|
commit->raw_message = git__strndup(buffer, buffer_end - buffer);
|
||||||
|
- GITERR_CHECK_ALLOC(commit->raw_message);
|
||||||
|
- }
|
||||||
|
+ else
|
||||||
|
+ commit->raw_message = git__strdup("");
|
||||||
|
+ GITERR_CHECK_ALLOC(commit->raw_message);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.10.1
|
||||||
|
|
12
libgit2.spec
12
libgit2.spec
@ -1,10 +1,15 @@
|
|||||||
Name: libgit2
|
Name: libgit2
|
||||||
Version: 0.24.2
|
Version: 0.24.2
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: C implementation of the Git core methods as a library with a solid API
|
Summary: C implementation of the Git core methods as a library with a solid API
|
||||||
License: GPLv2 with exceptions
|
License: GPLv2 with exceptions
|
||||||
URL: http://libgit2.github.com/
|
URL: http://libgit2.github.com/
|
||||||
Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1383212
|
||||||
|
# CVE-2016-8568 CVE-2016-8569
|
||||||
|
# https://github.com/libgit2/libgit2/commit/a719ef5e6d4a1a8ec53469c7914032ed67922772
|
||||||
|
Patch0001: 0001-commit-always-initialize-commit-message.patch
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: http-parser-devel
|
BuildRequires: http-parser-devel
|
||||||
BuildRequires: libcurl-devel
|
BuildRequires: libcurl-devel
|
||||||
@ -29,7 +34,7 @@ This package contains libraries and header files for
|
|||||||
developing applications that use %{name}.
|
developing applications that use %{name}.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup
|
%autosetup -p1
|
||||||
|
|
||||||
# Remove VCS files from examples
|
# Remove VCS files from examples
|
||||||
find examples -name ".gitignore" -delete -print
|
find examples -name ".gitignore" -delete -print
|
||||||
@ -76,6 +81,9 @@ popd
|
|||||||
%{_includedir}/git2/
|
%{_includedir}/git2/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 10 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 0.24.2-2
|
||||||
|
- Backport patch for CVE-2016-8568, CVE-2016-8569
|
||||||
|
|
||||||
* Tue Oct 04 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 0.24.2-1
|
* Tue Oct 04 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 0.24.2-1
|
||||||
- Update to 0.24.2 (RHBZ #1381398)
|
- Update to 0.24.2 (RHBZ #1381398)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user