From a1fed87ff1fca368097f7fd280e76c3418c60700 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Mon, 10 Oct 2016 10:26:47 +0200 Subject: [PATCH] Backport patch for CVE-2016-8568, CVE-2016-8569 Signed-off-by: Igor Gnatenko --- ...mit-always-initialize-commit-message.patch | 43 +++++++++++++++++++ libgit2.spec | 12 +++++- 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 0001-commit-always-initialize-commit-message.patch diff --git a/0001-commit-always-initialize-commit-message.patch b/0001-commit-always-initialize-commit-message.patch new file mode 100644 index 0000000..6618342 --- /dev/null +++ b/0001-commit-always-initialize-commit-message.patch @@ -0,0 +1,43 @@ +From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Fri, 7 Oct 2016 09:31:41 +0200 +Subject: [PATCH] commit: always initialize commit message + +When parsing a commit, we will treat all bytes left after parsing +the headers as the commit message. When no bytes are left, we +leave the commit's message uninitialized. While uncommon to have +a commit without message, this is the right behavior as Git +unfortunately allows for empty commit messages. + +Given that this scenario is so uncommon, most programs acting on +the commit message will never check if the message is actually +set, which may lead to errors. To work around the error and not +lay the burden of checking for empty commit messages to the +developer, initialize the commit message with an empty string +when no commit message is given. +--- + src/commit.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/commit.c b/src/commit.c +index 99a8085..76e6dcb 100644 +--- a/src/commit.c ++++ b/src/commit.c +@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj) + buffer = buffer_start + header_len + 1; + + /* extract commit message */ +- if (buffer <= buffer_end) { ++ if (buffer <= buffer_end) + commit->raw_message = git__strndup(buffer, buffer_end - buffer); +- GITERR_CHECK_ALLOC(commit->raw_message); +- } ++ else ++ commit->raw_message = git__strdup(""); ++ GITERR_CHECK_ALLOC(commit->raw_message); + + return 0; + +-- +2.10.1 + diff --git a/libgit2.spec b/libgit2.spec index edf5269..b8d8f75 100644 --- a/libgit2.spec +++ b/libgit2.spec @@ -1,10 +1,15 @@ Name: libgit2 Version: 0.24.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: C implementation of the Git core methods as a library with a solid API License: GPLv2 with exceptions URL: http://libgit2.github.com/ Source0: https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# https://bugzilla.redhat.com/show_bug.cgi?id=1383212 +# CVE-2016-8568 CVE-2016-8569 +# https://github.com/libgit2/libgit2/commit/a719ef5e6d4a1a8ec53469c7914032ed67922772 +Patch0001: 0001-commit-always-initialize-commit-message.patch + BuildRequires: cmake BuildRequires: http-parser-devel BuildRequires: libcurl-devel @@ -29,7 +34,7 @@ This package contains libraries and header files for developing applications that use %{name}. %prep -%autosetup +%autosetup -p1 # Remove VCS files from examples find examples -name ".gitignore" -delete -print @@ -76,6 +81,9 @@ popd %{_includedir}/git2/ %changelog +* Mon Oct 10 2016 Igor Gnatenko - 0.24.2-2 +- Backport patch for CVE-2016-8568, CVE-2016-8569 + * Tue Oct 04 2016 Igor Gnatenko - 0.24.2-1 - Update to 0.24.2 (RHBZ #1381398)