Merge branch 'master' into f24

2016-10-10 10:27:22 +02:00 · 2016-10-10 10:27:22 +02:00 · abba166258
commit abba166258
parent d24306669e a1fed87ff1
2 changed files with 53 additions and 2 deletions
--- a/0001-commit-always-initialize-commit-message.patch
+++ b/0001-commit-always-initialize-commit-message.patch
@ -0,0 +1,43 @@
+From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Fri, 7 Oct 2016 09:31:41 +0200
+Subject: [PATCH] commit: always initialize commit message
+
+When parsing a commit, we will treat all bytes left after parsing
+the headers as the commit message. When no bytes are left, we
+leave the commit's message uninitialized. While uncommon to have
+a commit without message, this is the right behavior as Git
+unfortunately allows for empty commit messages.
+
+Given that this scenario is so uncommon, most programs acting on
+the commit message will never check if the message is actually
+set, which may lead to errors. To work around the error and not
+lay the burden of checking for empty commit messages to the
+developer, initialize the commit message with an empty string
+when no commit message is given.
+---
+ src/commit.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/commit.c b/src/commit.c
+index 99a8085..76e6dcb 100644
+--- a/src/commit.c
+++ b/src/commit.c
+@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj)
+ 	buffer = buffer_start + header_len + 1;
+ 
+ 	/* extract commit message */
+-	if (buffer <= buffer_end) {
+	if (buffer <= buffer_end)
+ 		commit->raw_message = git__strndup(buffer, buffer_end - buffer);
+-		GITERR_CHECK_ALLOC(commit->raw_message);
+-	}
+	else
+		commit->raw_message = git__strdup("");
+	GITERR_CHECK_ALLOC(commit->raw_message);
+ 
+ 	return 0;
+ 
+-- 
+2.10.1
+
--- a/libgit2.spec
+++ b/libgit2.spec
@ -1,10 +1,15 @@
 Name:           libgit2
 Version:        0.24.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        C implementation of the Git core methods as a library with a solid API
 License:        GPLv2 with exceptions
 URL:            http://libgit2.github.com/
 Source0:        https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# https://bugzilla.redhat.com/show_bug.cgi?id=1383212
+# CVE-2016-8568 CVE-2016-8569
+# https://github.com/libgit2/libgit2/commit/a719ef5e6d4a1a8ec53469c7914032ed67922772
+Patch0001:      0001-commit-always-initialize-commit-message.patch
+
 BuildRequires:  cmake
 BuildRequires:  http-parser-devel
 BuildRequires:  libcurl-devel
@ -29,7 +34,7 @@ This package contains libraries and header files for
 developing applications that use %{name}.

 %prep
-%autosetup
+%autosetup -p1

 # Remove VCS files from examples
 find examples -name ".gitignore" -delete -print
@ -76,6 +81,9 @@ popd
 %{_includedir}/git2/

 %changelog
+* Mon Oct 10 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 0.24.2-2
+- Backport patch for CVE-2016-8568, CVE-2016-8569
+
 * Tue Oct 04 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 0.24.2-1
 - Update to 0.24.2 (RHBZ #1381398)