diff --git a/debian/changelog b/debian/changelog index 1ebb7c6ab..79c89c6ee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libgit2 (0.24.5-1) unstable; urgency=medium + + * New upstream release. + * debian/patch/fix_gmt14_timzone_bug.patch (Closes: #841532) + * Correcty address CVE-2016-8568 + + -- Russell Sim Mon, 02 Jan 2017 20:35:08 +1100 + libgit2 (0.24.2-2) unstable; urgency=medium * Upload to unstable. diff --git a/debian/patches/commit-always-initialize-commit-message.patch b/debian/patches/commit-always-initialize-commit-message.patch deleted file mode 100644 index 301b6c100..000000000 --- a/debian/patches/commit-always-initialize-commit-message.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a719ef5e6d4a1a8ec53469c7914032ed67922772 Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt -Date: Fri, 7 Oct 2016 09:31:41 +0200 -Subject: [PATCH] commit: always initialize commit message - -When parsing a commit, we will treat all bytes left after parsing -the headers as the commit message. When no bytes are left, we -leave the commit's message uninitialized. While uncommon to have -a commit without message, this is the right behavior as Git -unfortunately allows for empty commit messages. - -Given that this scenario is so uncommon, most programs acting on -the commit message will never check if the message is actually -set, which may lead to errors. To work around the error and not -lay the burden of checking for empty commit messages to the -developer, initialize the commit message with an empty string -when no commit message is given. ---- - src/commit.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/commit.c b/src/commit.c -index 99a8085..76e6dcb 100644 ---- a/src/commit.c -+++ b/src/commit.c -@@ -459,10 +459,11 @@ int git_commit__parse(void *_commit, git_odb_object *odb_obj) - buffer = buffer_start + header_len + 1; - - /* extract commit message */ -- if (buffer <= buffer_end) { -+ if (buffer <= buffer_end) - commit->raw_message = git__strndup(buffer, buffer_end - buffer); -- GITERR_CHECK_ALLOC(commit->raw_message); -- } -+ else -+ commit->raw_message = git__strdup(""); -+ GITERR_CHECK_ALLOC(commit->raw_message); - - return 0; - --- -2.8.1 - diff --git a/debian/patches/fix_gmt14_timzone_bug.patch b/debian/patches/fix_gmt14_timzone_bug.patch new file mode 100644 index 000000000..5ced26c44 --- /dev/null +++ b/debian/patches/fix_gmt14_timzone_bug.patch @@ -0,0 +1,29 @@ +From 23c9ff8632d8ae90d211601d3254ab7f4d35e853 Mon Sep 17 00:00:00 2001 +From: Andreas Henriksson +Date: Sat, 17 Dec 2016 17:33:13 +0100 +Subject: [PATCH] Fix off-by-one problems in git_signature__parse + +Etc/GMT-14 aka UTC+14:00 is a thing.... +https://en.wikipedia.org/wiki/UTC%2B14:00 + +Also allow offsets on the last minute (59). + +Addresses: https://bugs.debian.org/841532 +Fixes: #3970 +--- + src/signature.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/signature.c b/src/signature.c +index dcc3797..22cba7e 100644 +--- a/src/signature.c ++++ b/src/signature.c +@@ -251,7 +251,7 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, + * only store timezone if it's not overflowing; + * see http://www.worldtimezone.com/faq.html + */ +- if (hours < 14 && mins < 59) { ++ if (hours <= 14 && mins <= 59) { + sig->when.offset = (hours * 60) + mins; + if (tz_start[0] == '-') + sig->when.offset = -sig->when.offset; diff --git a/debian/patches/series b/debian/patches/series index 4836182ba..f4bc2a21b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,2 @@ disable_tests.patch -commit-always-initialize-commit-message.patch +fix_gmt14_timzone_bug.patch diff --git a/debian/rules b/debian/rules index 6b07f9ea5..75b842285 100755 --- a/debian/rules +++ b/debian/rules @@ -44,11 +44,9 @@ override_dh_auto_install: override_dh_auto_test: mkdir -p build-debian-release/tmp - # Force the timezone to GMT to work around bug with GMT-14 timezone - # https://github.com/libgit2/libgit2/issues/3970 - TZ=/usr/share/zoneinfo/Etc/GMT dh_auto_test --builddirectory=build-debian-release + dh_auto_test --builddirectory=build-debian-release mkdir -p build-debian-devel/tmp - TZ=/usr/share/zoneinfo/Etc/GMT dh_auto_test --builddirectory=build-debian-devel + dh_auto_test --builddirectory=build-debian-devel override_dh_strip: dh_strip --dbgsym-migration='libgit2-dbg (<< 0.24.0-2~)'