From 27a99ed552a469d808ce4d0ba4022b98f9c5d78c Mon Sep 17 00:00:00 2001 From: Russell Sim Date: Sun, 23 Oct 2016 14:37:11 +1100 Subject: [PATCH] Updated version * Added patch for CVEs * Bumped standards version * Set debian hardening complie flags * patched with fixes for CVEs * Fix compile in GMT-14 --- debian/changelog | 11 +++++ debian/control | 2 +- debian/libgit2-24.lintian-overrides | 1 - debian/libgit2-dev.lintian-overrides | 1 - ...mit-always-initialize-commit-message.patch | 43 +++++++++++++++++++ debian/patches/series | 1 + debian/rules | 7 ++- debian/source.lintian-overrides | 1 - 8 files changed, 61 insertions(+), 6 deletions(-) create mode 100644 debian/patches/commit-always-initialize-commit-message.patch diff --git a/debian/changelog b/debian/changelog index 4bd1d5c9e..1a6870264 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +libgit2 (0.24.2-1) UNRELEASED; urgency=medium + + * New upstream release. + * Bump Standards-Version to 3.9.8 + * Add commit-always-initialize-commit-message.patch fixes CVE-2016-8568, + CVE-2016-8569 + * Set debian hardening compile flags. + * Force timezone to GMT. + + -- Russell Sim Sun, 23 Oct 2016 14:30:45 +1100 + libgit2 (0.24.1-2) unstable; urgency=medium * Team upload. diff --git a/debian/control b/debian/control index c68a0c5f7..2fe40964f 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,7 @@ Build-Depends: debhelper (>= 9.20160114), python-minimal (>= 2.4.0), pkg-config, cmake, libz-dev, libcurl4-gnutls-dev, libssh2-1-dev, libhttp-parser-dev -Standards-Version: 3.9.7 +Standards-Version: 3.9.8 Homepage: http://libgit2.github.com/ Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/libgit2.git/ Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/libgit2.git/ diff --git a/debian/libgit2-24.lintian-overrides b/debian/libgit2-24.lintian-overrides index 869b94eb8..e69de29bb 100644 --- a/debian/libgit2-24.lintian-overrides +++ b/debian/libgit2-24.lintian-overrides @@ -1 +0,0 @@ -libgit2-24: spelling-error-in-binary diff --git a/debian/libgit2-dev.lintian-overrides b/debian/libgit2-dev.lintian-overrides index 493dab4ed..e69de29bb 100644 --- a/debian/libgit2-dev.lintian-overrides +++ b/debian/libgit2-dev.lintian-overrides @@ -1 +0,0 @@ -libgit2-dev: static-library-has-unneeded-section diff --git a/debian/patches/commit-always-initialize-commit-message.patch b/debian/patches/commit-always-initialize-commit-message.patch new file mode 100644 index 000000000..301b6c100 --- /dev/null +++ b/debian/patches/commit-always-initialize-commit-message.patch @@ -0,0 +1,43 @@ +From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Fri, 7 Oct 2016 09:31:41 +0200 +Subject: [PATCH] commit: always initialize commit message + +When parsing a commit, we will treat all bytes left after parsing +the headers as the commit message. When no bytes are left, we +leave the commit's message uninitialized. While uncommon to have +a commit without message, this is the right behavior as Git +unfortunately allows for empty commit messages. + +Given that this scenario is so uncommon, most programs acting on +the commit message will never check if the message is actually +set, which may lead to errors. To work around the error and not +lay the burden of checking for empty commit messages to the +developer, initialize the commit message with an empty string +when no commit message is given. +--- + src/commit.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/commit.c b/src/commit.c +index 99a8085..76e6dcb 100644 +--- a/src/commit.c ++++ b/src/commit.c +@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj) + buffer = buffer_start + header_len + 1; + + /* extract commit message */ +- if (buffer <= buffer_end) { ++ if (buffer <= buffer_end) + commit->raw_message = git__strndup(buffer, buffer_end - buffer); +- GITERR_CHECK_ALLOC(commit->raw_message); +- } ++ else ++ commit->raw_message = git__strdup(""); ++ GITERR_CHECK_ALLOC(commit->raw_message); + + return 0; + +-- +2.8.1 + diff --git a/debian/patches/series b/debian/patches/series index cdacb994b..4836182ba 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ disable_tests.patch +commit-always-initialize-commit-message.patch diff --git a/debian/rules b/debian/rules index dc683dcc1..65daeec8f 100755 --- a/debian/rules +++ b/debian/rules @@ -10,6 +10,9 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) TEST_TMPDIR := $(CURDIR)/tmp-test +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk override_dh_auto_configure: dh_auto_configure --builddirectory=build-debian-release -- \ @@ -41,9 +44,9 @@ override_dh_auto_install: override_dh_auto_test: mkdir -p build-debian-release/tmp - dh_auto_test --builddirectory=build-debian-release + TZ=/usr/share/zoneinfo/Etc/GMT dh_auto_test --builddirectory=build-debian-release mkdir -p build-debian-devel/tmp - dh_auto_test --builddirectory=build-debian-devel + TZ=/usr/share/zoneinfo/Etc/GMT dh_auto_test --builddirectory=build-debian-devel override_dh_strip: dh_strip --dbgsym-migration='libgit2-dbg (<< 0.24.0-2~)' diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides index 6a578ca08..b841c348c 100644 --- a/debian/source.lintian-overrides +++ b/debian/source.lintian-overrides @@ -1,2 +1 @@ -libgit2: source-contains-prebuilt-windows-binary libgit2: debian-watch-may-check-gpg-signature