0001-tests-don-t-run-buf-oom-on-32-bit-systems.patch

@@ -0,0 +1,59 @@
+From 415a8ae9c9b6ac18f0524b6af8e58408b426457d Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Thu, 13 Sep 2018 13:27:07 +0100
+Subject: [PATCH] tests: don't run buf::oom on 32-bit systems
+
+On a 32-bit Linux systems, the value large enough to make malloc
+guarantee a failure is also large enough that valgrind considers it
+"fishy".  Skip this test on those systems entirely.
+---
+ tests/buf/oom.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/tests/buf/oom.c b/tests/buf/oom.c
+index 2741a8ddf2..ec3bad9979 100644
+--- a/tests/buf/oom.c
++++ b/tests/buf/oom.c
+@@ -11,12 +11,8 @@
+  */
+ #if defined(GIT_ARCH_64) && defined(__linux__)
+ # define TOOBIG 0x0fffffffffffffff
+-#elif defined(__linux__)
+-# define TOOBIG 0x0fffffff
+ #elif defined(GIT_ARCH_64)
+ # define TOOBIG 0xffffffffffffff00
+-#else
+-# define TOOBIG 0xffffff00
+ #endif
+ 
+ /**
+@@ -25,13 +21,18 @@
+  * will fail.  And because the git_buf_grow() wrapper always
+  * sets mark_oom, the code in git_buf_try_grow() will free
+  * the internal buffer and set it to git_buf__oom.
+- * 
++ *
+  * We initialized the internal buffer to (the static variable)
+  * git_buf__initbuf.  The purpose of this test is to make sure
+  * that we don't try to free the static buffer.
++ *
++ * Skip this test entirely on 32-bit platforms; a buffer large enough
++ * to guarantee malloc failures is so large that valgrind considers
++ * it likely to be an error.
+  */
+ void test_buf_oom__grow(void)
+ {
++#ifdef GIT_ARCH_64
+ 	git_buf buf = GIT_BUF_INIT;
+ 
+ 	git_buf_clear(&buf);
+@@ -40,6 +41,9 @@ void test_buf_oom__grow(void)
+ 	cl_assert(git_buf_oom(&buf));
+ 
+ 	git_buf_free(&buf);
++#else
++    cl_skip();
++#endif
+ }
+ 
+ void test_buf_oom__grow_by(void)

CVE-2020-12278.patch

@@ -0,0 +1,44 @@
+From e1832eb20a7089f6383cfce474f213157f5300cb Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Wed, 18 Sep 2019 16:33:18 +0200
+Subject: [PATCH] path: also guard `.gitmodules` against NTFS Alternate Data
+ Streams
+
+We just safe-guarded `.git` against NTFS Alternate Data Stream-related
+attack vectors, and now it is time to do the same for `.gitmodules`.
+
+Note: In the added regression test, we refrain from verifying all kinds
+of variations between short names and NTFS Alternate Data Streams: as
+the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it
+is enough to test one in order to know that all of them are guarded
+against.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ src/path.c          | 2 +-
+ tests/path/dotgit.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/path.c b/src/path.c
+index 7844da67227..b3a8fc32f83 100644
+--- a/src/path.c
++++ b/src/path.c
+@@ -1646,7 +1646,7 @@ GIT_INLINE(bool) only_spaces_and_dots(const char *path)
+ 	const char *c = path;
+ 
+ 	for (;; c++) {
+-		if (*c == '\0')
++		if (*c == '\0' || *c == ':')
+ 			return true;
+ 		if (*c != ' ' && *c != '.')
+ 			return false;
+diff --git a/tests/path/dotgit.c b/tests/path/dotgit.c
+index 30996694512..ceb7330d248 100644
+--- a/tests/path/dotgit.c
++++ b/tests/path/dotgit.c
+@@ -116,4 +116,5 @@ void test_path_dotgit__dotgit_modules_symlink(void)
+ 	cl_assert_equal_b(true, git_path_isvalid(NULL, ".gitmodules", 0, GIT_PATH_REJECT_DOT_GIT_HFS|GIT_PATH_REJECT_DOT_GIT_NTFS));
+ 	cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_HFS));
+ 	cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS));
++	cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules . .::$DATA", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS));
+ }

CVE-2020-12279.patch

@@ -0,0 +1,57 @@
+From 64c612cc3e25eff5fb02c59ef5a66ba7a14751e4 Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Wed, 18 Sep 2019 15:25:02 +0200
+Subject: [PATCH] Protect against 8.3 "short name" attacks also on Linux/macOS
+
+The Windows Subsystem for Linux (WSL) is getting increasingly popular,
+in particular because it makes it _so_ easy to run Linux software on
+Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to
+`/mnt/c/`, no need to set that up manually).
+
+Unfortunately, files/directories on the Windows drives can be accessed
+via their _short names_, if that feature is enabled (which it is on the
+`C:` drive by default).
+
+Which means that we have to safeguard even our Linux users against the
+short name attacks.
+
+Further, while the default options of CIFS/SMB-mounts seem to disallow
+accessing files on network shares via their short names on Linux/macOS,
+it _is_ possible to do so with the right options.
+
+So let's just safe-guard against short name attacks _everywhere_.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ src/checkout.c         | 2 +-
+ tests/checkout/nasty.c | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/checkout.c b/src/checkout.c
+index 5cfa7280baa..5b20ede466b 100644
+--- a/src/checkout.c
++++ b/src/checkout.c
+@@ -1271,7 +1271,7 @@ static int checkout_verify_paths(
+ 	int action,
+ 	git_diff_delta *delta)
+ {
+-	unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS;
++	unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS | GIT_PATH_REJECT_DOT_GIT_NTFS;
+ 
+ 	if (action & CHECKOUT_ACTION__REMOVE) {
+ 		if (!git_path_isvalid(repo, delta->old_file.path, delta->old_file.mode, flags)) {
+diff --git a/tests/checkout/nasty.c b/tests/checkout/nasty.c
+index 3897878cef1..a0ac738a812 100644
+--- a/tests/checkout/nasty.c
++++ b/tests/checkout/nasty.c
+@@ -206,9 +206,8 @@ void test_checkout_nasty__dot_git_dot(void)
+  */
+ void test_checkout_nasty__git_tilde1(void)
+ {
+-#ifdef GIT_WIN32
+ 	test_checkout_fails("refs/heads/git_tilde1", ".git/foobar");
+-#endif
++	test_checkout_fails("refs/heads/git_tilde1", "git~1/foobar");
+ }
+ 
+ /* A tree that contains an entry "git~2", when we have forced the short

libgit2.spec

@@ -1,14 +1,17 @@
 Name:           libgit2
-Version:        1.7.2
+Version:        0.27.8
-Release:        1
+Release:        4
 Summary:        portable, pure C implementation of the Git core methods
 License:        GPLv2 with exceptions
 URL:            https://libgit2.org
-Source0:        https://github.com/libgit2/libgit2/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:        https://github.com/libgit2/libgit2/archive/v%{version}.tar.gz
 
-BuildRequires:  gcc cmake >= 3.5.1 ninja-build http-parser-devel libcurl-devel
+Patch0001:      0001-tests-don-t-run-buf-oom-on-32-bit-systems.patch
+Patch0002:      CVE-2020-12278.patch
+Patch0003:      CVE-2020-12279.patch
+
+BuildRequires:  gcc cmake >= 2.8.11 ninja-build http-parser-devel libcurl-devel
 BuildRequires:  libssh2-devel openssl-devel python3 zlib-devel
-BuildRequires:  pcre2-devel
 Provides:       bundled(libxdiff)
 
 %description
@@ -25,17 +28,12 @@ This package contains libraries and headers for developing applications that use
 
 %prep
 %autosetup -n %{name}-%{version} -p1
-find examples -name ".gitignore" -delete -print
+rm -rfv examples/network/.gitignore deps
-sed -i '/-sonline/s/^/#/' tests/libgit2/CMakeLists.txt
+sed -i '/ADD_TEST(online/s/^/#/' tests/CMakeLists.txt
-# Remove bundled libraries (except libxdiff)
-pushd deps
-find . -maxdepth 1 -not -name xdiff -exec rm -rf {} ';'
-popd
 
 %build
 %cmake . -B%{_target_platform} -GNinja -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-  -DREGEX_BACKEND=pcre2 -DBUILD_CLI=OFF -DUSE_SHA1=HTTPS -DUSE_HTTP_PARSER=system \
+  -DSHA1_BACKEND=OpenSSL -DUSE_HTTPS=OpenSSL %{nil}
-  -DUSE_NTLMCLIENT=OFF -DUSE_HTTPS=OpenSSL -DUSE_SSH=ON %{nil}
 %ninja_build -C %{_target_platform}
 
 %install
@@ -59,22 +57,6 @@ popd
 %{_includedir}/git2*
 
 %changelog
-* Wed Mar 06 2024 yaoxin <yao_xin001@hoperun.com> - 1.7.2-1
-- Upgrade to 1.7.2
-
-* Wed Feb 07 2024 yaoxin <yao_xin001@hoperun.com> - 1.6.5-1
-- Upgrade to 1.6.5 for fix CVE-2024-24575 and CVE-2024-24577
-
-* Fri Jul 7 2023 liyanan <thistleslyn@163.com> - 1.6.4-1
-- Update to version 1.6.4
-- Abi change: libgit2.so.1.3.2 -> libgit2.so.1.6.4
-
-* Mon Jul 25 2022 xu_ping <xuping33@h-partners.com> - 1.3.2-1
-- Upgrade 1.3.2
-
-* Fri May 13 2022 liyanan <liyanan32@h-partners.com> - 0.27.8-5
-- Remove error-prone, redundant test
-
 * Fri Jul 23 2021 guoxiaoqi<guoxiaoqi2@huawei.com> - 0.27.8-4
 - fix CVE-2020-12278 and CVE-2020-12279