proxmox-mirrors/libgit2
1
0
Fork 0
mirror of https://git.proxmox.com/git/libgit2 synced 2025-05-29 18:38:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

libgit2 release 1.7.2+ds-1 for unstable (sid)

Browse Source 
(maintainer view tag generated by dgit --quilt=gbp)
 
 [dgit distro=debian split --quilt=gbp]
 -----BEGIN PGP SIGNATURE-----
 
 iQHIBAABCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmXEkLcUHHJvZWhsaW5n
 QGRlYmlhbi5vcmcACgkQ+C8H+466LVkVtQwApXPyJHO1UqnmWp/ohbBziuGu8NGA
 LdwQigZFfZzz9puYfVp6APtmM+fq18ipk8J0k4ZgWup9CesNQwBjDI7rWFKaieHU
 Oba88IZmwVLfJbCQKJ5pTvCvyCnoBW1PAR6VCXNK9ccLOAoQXE3DauzY6ai8LzDc
 8iige1ZqKaHrsVpaGUv/NfvR6raEjqiSXAhhkDgRWl8o5tmvqUR8xUP/bGBb+V8K
 ewxaAQS8d62TFT5raKbdFZ8apRx7Ue0sc5G40vfKAn/ptNDsNeywJxvv6hDjhN/Y
 u1MS7ASbACtQSSGnBjePAXmrIKHkFKDrE6fWTM6Q1IGqyyHy8Th5Hy1F07QVo5Pa
 dUtAguoZ5X+SqJG/jlLvExIoDZJ57vJ4QYz0FQUeQtYmK5Q3HtgufJs6Fz2P1Jar
 5NB6s5Rz1YI9UnyASom03KaPkdcU4nVkr2u6Uyv7AJrEgFufPrpwwI+TPeOookL8
 AY9dSQfByJHiHfm//UHuuXE3NWjzBzSYPNMO
 =d6Kw
 -----END PGP SIGNATURE-----

Merge tag 'debian/1.7.2+ds-1' into proxmox/bookworm

libgit2 release 1.7.2+ds-1 for unstable (sid)

(maintainer view tag generated by dgit --quilt=gbp)

[dgit distro=debian split --quilt=gbp]
This commit is contained in:
Fabian Grünbichler 2024-06-19 14:20:43 +02:00
commit db43d3d96a
10 changed files with 68 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@ -6,7 +6,7 @@
cmake_minimum_required(VERSION 3.5.1) cmake_minimum_required(VERSION 3.5.1)
project(libgit2 VERSION "1.7.1" LANGUAGES C) project(libgit2 VERSION "1.7.2" LANGUAGES C)
# Add find modules to the path # Add find modules to the path
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake") set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")

11
debian/changelog vendored
View File

@ -1,3 +1,14 @@
libgit2 (1.7.2+ds-1) unstable; urgency=medium
* New upstream version 1.7.2+ds
- Fix CVE-2024-24575: Denial of service in git_revparse_single
(Closes: #1063415)
- Fix CVE-2024-24577: Use-after-free in git_index_add
(Closes: #1063416)
* Build-depend on pkgconf instead of pkg-config
-- Timo Röhling <roehling@debian.org> Thu, 08 Feb 2024 09:10:45 +0100
libgit2 (1.7.1+ds-2~bpo12+pve1) bookworm; urgency=medium libgit2 (1.7.1+ds-2~bpo12+pve1) bookworm; urgency=medium
* Rebuild for Debian Bookworm / Proxmox * Rebuild for Debian Bookworm / Proxmox

2
debian/control vendored
View File

@ -7,7 +7,7 @@ Uploaders: Pirate Praveen <praveen@debian.org>,
Timo Röhling <roehling@debian.org>, Timo Röhling <roehling@debian.org>,
Build-Depends: debhelper-compat (= 13), Build-Depends: debhelper-compat (= 13),
python3-minimal:any, python3-minimal:any,
pkg-config, pkgconf,
ca-certificates, ca-certificates,
cmake, cmake,
zlib1g-dev, zlib1g-dev,

17
docs/changelog.md
View File

@ -1,3 +1,20 @@
v1.7.2
------
## What's Changed
This release fixes three bugs that can cause undefined behavior when given well-crafted inputs, either in input files or over network connections. These bugs may be able to be leveraged to cause denial of service attacks or unauthorized code execution.
Two of these issues were discovered and reported by security engineers at Amazon Web Services. We thank the AWS Security team for their efforts to identify these issues, provide helpful reproduction cases, and responsibly disclose their findings.
### Security fixes
* transport: safely handle messages with no caps
* revparse: fix parsing bug for trailing `@`
* index: correct index has_dir_name check
**Full Changelog**: https://github.com/libgit2/libgit2/compare/v1.7.1...v1.7.2
v1.7.1 v1.7.1
------ ------

4
include/git2/version.h
View File

@ -11,7 +11,7 @@
* The version string for libgit2. This string follows semantic * The version string for libgit2. This string follows semantic
* versioning (v2) guidelines. * versioning (v2) guidelines.
*/ */
#define LIBGIT2_VERSION "1.7.1" #define LIBGIT2_VERSION "1.7.2"
/** The major version number for this version of libgit2. */ /** The major version number for this version of libgit2. */
#define LIBGIT2_VER_MAJOR 1 #define LIBGIT2_VER_MAJOR 1
@ -20,7 +20,7 @@
#define LIBGIT2_VER_MINOR 7 #define LIBGIT2_VER_MINOR 7
/** The revision ("teeny") version number for this version of libgit2. */ /** The revision ("teeny") version number for this version of libgit2. */
#define LIBGIT2_VER_REVISION 1 #define LIBGIT2_VER_REVISION 2
/** The Windows DLL patch number for this version of libgit2. */ /** The Windows DLL patch number for this version of libgit2. */
#define LIBGIT2_VER_PATCH 0 #define LIBGIT2_VER_PATCH 0

2
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "libgit2", "name": "libgit2",
"version": "1.7.1", "version": "1.7.2",
"repo": "https://github.com/libgit2/libgit2", "repo": "https://github.com/libgit2/libgit2",
"description": " A cross-platform, linkable library implementation of Git that you can use in your application.", "description": " A cross-platform, linkable library implementation of Git that you can use in your application.",
"install": "mkdir build && cd build && cmake .. && cmake --build ." "install": "mkdir build && cd build && cmake .. && cmake --build ."

7
src/libgit2/index.c
View File

@ -1185,10 +1185,13 @@ static int has_dir_name(git_index *index,
size_t len, pos; size_t len, pos;
for (;;) { for (;;) {
if (*--slash == '/') slash--;
break;
if (slash <= entry->path) if (slash <= entry->path)
return 0; return 0;
if (*slash == '/')
break;
} }
len = slash - name; len = slash - name;

5
src/libgit2/revparse.c
View File

@ -701,6 +701,7 @@ static int revparse(
git_object *base_rev = NULL; git_object *base_rev = NULL;
bool should_return_reference = true; bool should_return_reference = true;
bool parsed = false;
GIT_ASSERT_ARG(object_out); GIT_ASSERT_ARG(object_out);
GIT_ASSERT_ARG(reference_out); GIT_ASSERT_ARG(reference_out);
@ -710,7 +711,7 @@ static int revparse(
*object_out = NULL; *object_out = NULL;
*reference_out = NULL; *reference_out = NULL;
while (spec[pos]) { while (!parsed && spec[pos]) {
switch (spec[pos]) { switch (spec[pos]) {
case '^': case '^':
should_return_reference = false; should_return_reference = false;
@ -817,6 +818,8 @@ static int revparse(
break; break;
} else if (spec[pos+1] == '\0') { } else if (spec[pos+1] == '\0') {
spec = "HEAD"; spec = "HEAD";
identifier_len = 4;
parsed = true;
break; break;
} }
/* fall through */ /* fall through */

3
src/libgit2/transports/smart_pkt.c
View File

@ -232,7 +232,8 @@ static int set_data(
GIT_ASSERT_ARG(data); GIT_ASSERT_ARG(data);
if ((caps = memchr(line, '\0', len)) != NULL) { if ((caps = memchr(line, '\0', len)) != NULL &&
len > (size_t)((caps - line) + 1)) {
caps++; caps++;
if (strncmp(caps, "object-format=", CONST_STRLEN("object-format=")) == 0) if (strncmp(caps, "object-format=", CONST_STRLEN("object-format=")) == 0)

24
tests/libgit2/index/add.c
View File

@ -82,3 +82,27 @@ void test_index_add__invalid_entries_succeeds_by_default(void)
test_add_entry(true, valid_commit_id, GIT_FILEMODE_LINK); test_add_entry(true, valid_commit_id, GIT_FILEMODE_LINK);
} }
void test_index_add__two_slash_prefixed(void)
{
git_index_entry one = {{0}}, two = {{0}};
const git_index_entry *result;
size_t orig_count;
orig_count = git_index_entrycount(g_index);
cl_git_pass(git_oid__fromstr(&one.id, "fa49b077972391ad58037050f2a75f74e3671e92", GIT_OID_SHA1));
one.path = "/a";
one.mode = GIT_FILEMODE_BLOB;
cl_git_pass(git_oid__fromstr(&two.id, "3697d64be941a53d4ae8f6a271e4e3fa56b022cc", GIT_OID_SHA1));
two.path = "/a";
two.mode = GIT_FILEMODE_BLOB;
cl_git_pass(git_index_add(g_index, &one));
cl_git_pass(git_index_add(g_index, &two));
cl_assert_equal_i(orig_count + 1, git_index_entrycount(g_index));
cl_assert(result = git_index_get_bypath(g_index, "/a", 0));
cl_assert_equal_oid(&two.id, &result->id);
}