Backport patch for CVE-2016-8568, CVE-2016-8569

Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
Merge branch 'master' into f23
2016-10-10 10:28:35 +02:00 · 2015-11-22 12:40:21 +01:00 · 2015-10-31 20:17:26 +01:00 · 2015-09-02 17:17:16 +03:00 · 2015-08-04 09:12:59 -04:00
2 changed files with 56 additions and 2 deletions
--- a/0001-commit-always-initialize-commit-message.patch
+++ b/0001-commit-always-initialize-commit-message.patch
@ -0,0 +1,43 @@
 From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001
 From: Patrick Steinhardt <ps@pks.im>
 Date: Fri, 7 Oct 2016 09:31:41 +0200
 Subject: [PATCH] commit: always initialize commit message
 When parsing a commit, we will treat all bytes left after parsing
 the headers as the commit message. When no bytes are left, we
 leave the commit's message uninitialized. While uncommon to have
 a commit without message, this is the right behavior as Git
 unfortunately allows for empty commit messages.
 Given that this scenario is so uncommon, most programs acting on
 the commit message will never check if the message is actually
 set, which may lead to errors. To work around the error and not
 lay the burden of checking for empty commit messages to the
 developer, initialize the commit message with an empty string
 when no commit message is given.
 ---
 src/commit.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/src/commit.c b/src/commit.c
 index 99a8085..76e6dcb 100644
 --- a/src/commit.c
 +++ b/src/commit.c
@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj)
 	buffer = buffer_start + header_len + 1;
 	/* extract commit message */
 -	if (buffer <= buffer_end) {
 +	if (buffer <= buffer_end)
 		commit->raw_message = git__strndup(buffer, buffer_end - buffer);
 -		GITERR_CHECK_ALLOC(commit->raw_message);
 -	}
 +	else
 +		commit->raw_message = git__strdup("");
 +	GITERR_CHECK_ALLOC(commit->raw_message);
 	return 0;
 -- 
 2.10.1
--- a/libgit2.spec
+++ b/libgit2.spec
@ -1,10 +1,15 @@
 Name:           libgit2
 Version:        0.23.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        C implementation of the Git core methods as a library with a solid API
 License:        GPLv2 with exceptions
 URL:            http://libgit2.github.com/
 Source0:        https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # https://bugzilla.redhat.com/show_bug.cgi?id=1383212
 # CVE-2016-8568 CVE-2016-8569
 # https://github.com/libgit2/libgit2/commit/a719ef5e6d4a1a8ec53469c7914032ed67922772
 Patch0001:      0001-commit-always-initialize-commit-message.patch
 BuildRequires:  cmake
 BuildRequires:  http-parser-devel
 BuildRequires:  libcurl-devel
@ -29,7 +34,7 @@ This package contains libraries and header files for
 developing applications that use %{name}.
 %prep
-%autosetup
+%autosetup -p1
 # Remove VCS files from examples
 find examples -name ".gitignore" -delete -print
@ -69,6 +74,9 @@ ctest -V
 %{_includedir}/git2/
 %changelog
 * Mon Oct 10 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 0.23.4-2
 - Backport patch for CVE-2016-8568, CVE-2016-8569
 * Sun Nov 22 2015 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.23.4-1
 - Update to 0.23.4 (RHBZ #1281633)
@ -82,6 +90,9 @@ ctest -V
 - Update to 0.23.1
 - Add curl support
 * Tue Aug 04 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.23.0-1.1
 - Bump version to allow rebuild
 * Thu Jul 30 2015 Igor Gnatenko <ignatenko@src.gnome.org> - 0.23.0-1
 - Update to 0.23.0
Author	SHA1	Message	Date
Igor Gnatenko	0d1a8e0b8e	Backport patch for CVE-2016-8568, CVE-2016-8569 Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>	2016-10-10 10:28:35 +02:00
Igor Gnatenko	db69fd88dd	Merge branch 'master' into f23	2015-11-22 12:40:21 +01:00
Kalev Lember	b22ddb0e02	Merge branch 'master' into f23	2015-10-31 20:17:26 +01:00
Veeti Paananen	27d8494434	Merge branch 'master' into f23	2015-09-02 17:17:16 +03:00
Zbigniew Jędrzejewski-Szmek	3de35f305e	Bump version to allow rebuild	2015-08-04 09:12:59 -04:00