Updated version

debian/changelog

@@ -1,3 +1,11 @@
+libgit2 (0.24.5-1) unstable; urgency=medium
+
+  * New upstream release.
+  * debian/patch/fix_gmt14_timzone_bug.patch (Closes: #841532)
+  * Correcty address CVE-2016-8568
+
+ -- Russell Sim <russell.sim@gmail.com>  Mon, 02 Jan 2017 20:35:08 +1100
+
 libgit2 (0.24.2-2) unstable; urgency=medium
 
   * Upload to unstable.

debian/patches/commit-always-initialize-commit-message.patch

@@ -1,43 +0,0 @@
-From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Fri, 7 Oct 2016 09:31:41 +0200
-Subject: [PATCH] commit: always initialize commit message
-
-When parsing a commit, we will treat all bytes left after parsing
-the headers as the commit message. When no bytes are left, we
-leave the commit's message uninitialized. While uncommon to have
-a commit without message, this is the right behavior as Git
-unfortunately allows for empty commit messages.
-
-Given that this scenario is so uncommon, most programs acting on
-the commit message will never check if the message is actually
-set, which may lead to errors. To work around the error and not
-lay the burden of checking for empty commit messages to the
-developer, initialize the commit message with an empty string
-when no commit message is given.
----
- src/commit.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/commit.c b/src/commit.c
-index 99a8085..76e6dcb 100644
---- a/src/commit.c
-+++ b/src/commit.c
-@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj)
- 	buffer = buffer_start + header_len + 1;
- 
- 	/* extract commit message */
--	if (buffer <= buffer_end) {
-+	if (buffer <= buffer_end)
- 		commit->raw_message = git__strndup(buffer, buffer_end - buffer);
--		GITERR_CHECK_ALLOC(commit->raw_message);
--	}
-+	else
-+		commit->raw_message = git__strdup("");
-+	GITERR_CHECK_ALLOC(commit->raw_message);
- 
- 	return 0;
- 
--- 
-2.8.1
-

debian/patches/fix_gmt14_timzone_bug.patch

@@ -0,0 +1,29 @@
+From 23c9ff8632d8ae90d211601d3254ab7f4d35e853 Mon Sep 17 00:00:00 2001
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 17 Dec 2016 17:33:13 +0100
+Subject: [PATCH] Fix off-by-one problems in git_signature__parse
+
+Etc/GMT-14 aka UTC+14:00 is a thing....
+https://en.wikipedia.org/wiki/UTC%2B14:00
+
+Also allow offsets on the last minute (59).
+
+Addresses: https://bugs.debian.org/841532
+Fixes: #3970
+---
+ src/signature.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/signature.c b/src/signature.c
+index dcc3797..22cba7e 100644
+--- a/src/signature.c
++++ b/src/signature.c
+@@ -251,7 +251,7 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
+ 			 * only store timezone if it's not overflowing;
+ 			 * see http://www.worldtimezone.com/faq.html
+ 			 */
+-			if (hours < 14 && mins < 59) {
++			if (hours <= 14 && mins <= 59) {
+ 				sig->when.offset = (hours * 60) + mins;
+ 				if (tz_start[0] == '-')
+ 					sig->when.offset = -sig->when.offset;

debian/patches/series

@@ -1,2 +1,2 @@
 disable_tests.patch
-commit-always-initialize-commit-message.patch
+fix_gmt14_timzone_bug.patch

debian/rules

@@ -44,11 +44,9 @@ override_dh_auto_install:
 
 override_dh_auto_test:
 	mkdir -p build-debian-release/tmp
-	# Force the timezone to GMT to work around bug with GMT-14 timezone
-	# https://github.com/libgit2/libgit2/issues/3970
-	TZ=/usr/share/zoneinfo/Etc/GMT dh_auto_test --builddirectory=build-debian-release
+	dh_auto_test --builddirectory=build-debian-release
 	mkdir -p build-debian-devel/tmp
-	TZ=/usr/share/zoneinfo/Etc/GMT dh_auto_test --builddirectory=build-debian-devel
+	dh_auto_test --builddirectory=build-debian-devel
 
 override_dh_strip:
 	dh_strip --dbgsym-migration='libgit2-dbg (<< 0.24.0-2~)'