diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch new file mode 100644 index 0000000000..d3957ac5d0 --- /dev/null +++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch @@ -0,0 +1,56 @@ +From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001 +From: Edward Thomson +Date: Fri, 17 Nov 2023 16:54:47 +0000 +Subject: [PATCH] revparse: fix parsing bug for trailing `@` + +When parsing a revspec that ends with a trailing `@`, explicitly stop +parsing. Introduce a sentinel variable to explicitly stop parsing. + +Prior to this, we would set `spec` to `HEAD`, but were looping on the +value of `spec[pos]`, so we would continue walking the (new) `spec` +at offset `pos`, looking for a NUL. This is obviously an out-of-bounds +read. + +Credit to Michael Rodler (@f0rki) and Amazon AWS Security. + +CVE: CVE-2024-24575 + +Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf] + +Signed-off-by: Soumya Sambu +--- + src/revparse.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/revparse.c b/src/revparse.c +index 9bc28e9fc..d3bbe840b 100644 +--- a/src/revparse.c ++++ b/src/revparse.c +@@ -685,6 +685,7 @@ static int revparse( + git_object *base_rev = NULL; + + bool should_return_reference = true; ++ bool parsed = false; + + GIT_ASSERT_ARG(object_out); + GIT_ASSERT_ARG(reference_out); +@@ -694,7 +695,7 @@ static int revparse( + *object_out = NULL; + *reference_out = NULL; + +- while (spec[pos]) { ++ while (!parsed && spec[pos]) { + switch (spec[pos]) { + case '^': + should_return_reference = false; +@@ -801,6 +802,8 @@ static int revparse( + break; + } else if (spec[pos+1] == '\0') { + spec = "HEAD"; ++ identifier_len = 4; ++ parsed = true; + break; + } + /* fall through */ +-- +2.40.0 diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch new file mode 100644 index 0000000000..3469f9d099 --- /dev/null +++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch @@ -0,0 +1,52 @@ +From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001 +From: Edward Thomson +Date: Sat, 16 Dec 2023 11:19:07 +0000 +Subject: [PATCH] index: correct index has_dir_name check + +`has_dir_name` is used to check for directory/file collisions, +and attempts to determine whether the index contains a file with +a directory name that is a proper subset of the new index entry +that we're trying to add. + +To determine directory name, the function would walk the path string +backwards to identify a `/`, stopping at the end of the string. However, +the function assumed that the strings did not start with a `/`. If the +paths contain only a single `/` at the beginning of the string, then the +function would continue the loop, erroneously, when they should have +stopped at the first character. + +Correct the order of the tests to terminate properly. + +Credit to Michael Rodler (@f0rki) and Amazon AWS Security. + +CVE: CVE-2024-24577 + +Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3] + +Signed-off-by: Soumya Sambu +--- + src/index.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/index.c b/src/index.c +index aa97c6421..e8ff82e1a 100644 +--- a/src/index.c ++++ b/src/index.c +@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index, + size_t len, pos; + + for (;;) { +- if (*--slash == '/') +- break; ++ slash--; ++ + if (slash <= entry->path) + return 0; ++ ++ if (*slash == '/') ++ break; + } + len = slash - name; + +-- +2.40.0 diff --git a/meta/recipes-support/libgit2/libgit2_1.4.5.bb b/meta/recipes-support/libgit2/libgit2_1.4.5.bb index aadfe4ad02..ad8b9a536a 100644 --- a/meta/recipes-support/libgit2/libgit2_1.4.5.bb +++ b/meta/recipes-support/libgit2/libgit2_1.4.5.bb @@ -5,7 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e5a9227de4cb6afb5d35ed7b0fdf480d" DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2" -SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https" +SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https \ + file://CVE-2024-24575.patch \ + file://CVE-2024-24577.patch \ + " SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea" S = "${WORKDIR}/git"